If the server is configured to reject unauthenticated requests, then attackers would either need to legitimate access to an account in the server, or they would need to somehow obtain credentials for a valid account.

The global configuration makes it easy to reject requests from unauthenticated clients through the following properties:

reject-unauthenticated-requests
Indicates whether the server rejects requests from unauthenticated clients, including clients that have not yet authenticated, clients whose most recent authentication attempt failed, or clients whose most recent authentication attempt was an anonymous bind.
allowed-unauthenticated-requests-criteria
Specifies an optional set of criteria used to indicate that certain operations are allowed over an unauthenticated connection.

Even if reject-unauthenticated-requests is true, then the server allows a small number of requests from unauthenticated connections. These include:

  • Bind requests, which are used to authenticate connections.
  • StartTLS extended requests, which are used to add TLS encryption to initially insecure connections.
  • The start administrative session extended request, which is used to indicate that subsequent operations are part of an administrative session. When it is used, this should be the first operation on the connection, even before bind and StartTLS operations. There is no inherent security risk in allowing this for unauthenticated clients.

If any other types of requests should be allowed for unauthenticated clients, then the allowed-unauthenticated-requests-criteria property should be used to define criteria that matches only those operations.