Remove historic CRAM-MD5 mechanism

[Neustradamus]

Dear @PHPMailer team,

Can you remove old unsecure mechanisms?

• CRAM-MD5
• LOGIN

Note that LOGIN has been replaced by PLAIN.

20 November 2008: CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00

29 June 2017: CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:

• https://tools.ietf.org/html/rfc6331

August 2021: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:
"Replaced DIGEST-MD5 SASL mechanism with SCRAM-SHA-256. DIGEST-MD5 was deprecated."

• https://tools.ietf.org/html/rfc9051

I add same about SCRAM-MD5.

There are now:

• July 2010: RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM): SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 (SCRAM-SHA-1 and SCRAM-SHA-1-PLUS)
• July 2010: RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
• November 2015: RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677

Soon:

• SCRAM-SHA-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha-512
• SCRAM-SHA3-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

[Synchro]

1. No.
2. PHPMailer has no control whatsoever over what authentication algorithms are offered by servers.
3. What you propose will result in worse rather than better security. This is email, not http.
4. Modern auth is pretty much covered by XOAUTH2, ugly as it may be, and there is little advantage to any of them in the presence of TLS.
5. All that said, if you would like to support new auth options, PRs would be very welcome.