IMAP Authentication Methods

The authentication methods are:

1. Plain Login: This is the typical “username / password” technique, using the LOGIN command by itself. This is similar to the simple scheme used in POP3, except that in IMAP4 one command is used to send both the user name and password. Since the command and parameters are sent in plain text, this is by far the least secure method of authentication and is not recommended by the standard unless some other means is used in conjunction.
   
   
2. TLS Login: This is a secure login where the Transport Layer Security (TLS) protocol is first enabled with the STARTTLS command, and then the LOGIN command can be used securely. Note that STARTTLS only causes the TLS negotiation to begin, and does not itself cause the IMAP client to be authenticated. Either LOGIN or AUTHENTICATE must still be used.
   
   
3. Negotiated Authentication Method: The AUTHENTICATE command allows the client and server to use any authentication scheme that they both support. The server may indicate which schemes it supports in response to a CAPABILITY command. After specifying the authentication mechanism to be used, the server and client exchange authentication information as required by the mechanism specified. This may require one or more additional lines of data to be sent.

In response to a LOGIN or AUTHENTICATE command, the server will send an “OK” message if the authentication was successful, and then transition to the Authenticated state. It will send a “NO” response if authentication failed due to incorrect information. The client can then try another method of authenticating, or terminate the session with the LOGOUT command.