2.2.23 [RFC3501] Section 6.2.2, AUTHENTICATE Command

  • Article

V0030:

The specification states: "If the server supports the requested authentication mechanism, it performs an authentication protocol exchange to authenticate and identify the client. It MAY also negotiate an OPTIONAL security layer for subsequent protocol interactions."

Microsoft Office Outlook 2007, Microsoft Outlook 2010, Microsoft Outlook 2013, Microsoft Outlook 2016, Microsoft Outlook 2019

Outlook does not perform out-of-band AUTHENTICATE negotiation.

E0001:

The specification states that the client is not required to implement any authentication mechanisms other than the PLAIN authentication mechanism.

Office Outlook 2007, Outlook 2010, Outlook 2013, Outlook 2016, Outlook 2019

In addition to the PLAIN authentication mechanism, Outlook implements the following authentication mechanisms:

  • NTLM

  • DIGEST-MD5

V0031:

The specification states: "A server implementation MUST implement a configuration in which it does NOT permit any plaintext password mechanisms, unless either the STARTTLS command has been negotiated or some other mechanism that protects the session from password snooping has been provided."

Office Outlook 2007, Outlook 2010, Outlook 2013, Outlook 2016, Outlook 2019

Outlook does not require protection against password snooping.

E0002:

The specification states that the client SHOULD implement additional SASL mechanisms that do not use plaintext passwords.

Office Outlook 2007, Outlook 2010, Outlook 2013, Outlook 2016, Outlook 2019

For more details, see E0001 in this section.

V0032:

The specification states: "The server SHOULD list its supported authentication mechanisms in the response to the CAPABILITY command so that the client knows which authentication mechanisms to use."

Office Outlook 2007, Outlook 2010, Outlook 2013, Outlook 2016, Outlook 2019

Outlook uses only authentication mechanisms that are advertised by the server. If the server does not advertise any authentication mechanisms, then Outlook uses the LOGIN command.

V0033:

The specification states: "A server MAY include a CAPABILITY response code in the tagged OK response of a successful AUTHENTICATE command in order to send capabilities automatically. It is unnecessary for a client to send a separate CAPABILITY command if it recognizes these automatic capabilities."

Office Outlook 2007, Outlook 2010, Outlook 2013, Outlook 2016, Outlook 2019

Outlook sends a CAPABILITY command regardless of whether it receives a CAPABILITY response code in response to a successful AUTHENTICATE command.

V0034:

The specification states: "If an AUTHENTICATE command fails with a NO response, the client MAY try another authentication mechanism by issuing another AUTHENTICATE command. It MAY also attempt to authenticate by using the LOGIN command. In other words, the client MAY request authentication types in decreasing order of preference, with the LOGIN command as a last resort."

Office Outlook 2007, Outlook 2010, Outlook 2013, Outlook 2016, Outlook 2019

Depending on user/administrator provided policies, Outlook successively tries decreasingly strong methods of authentication until it finds one that works. Outlook uses the LOGIN command to authenticate if it does not find an authentication method that works.

Outlook also uses the LOGIN command to authenticate when the server does not advertise any authentication mechanisms and when the LOGIN command is not disabled by a user/administrator policy.