Index: sx/sasl_cyrus.c
===================================================================
--- sx/sasl_cyrus.c	(revision 349)
+++ sx/sasl_cyrus.c	(working copy)
@@ -745,7 +745,7 @@
 /** process handshake packets from the client */
 static void _sx_sasl_client_process(sx_t s, sx_plugin_t p, char *mech, char *in, int inlen) {
     _sx_sasl_data_t sd = (_sx_sasl_data_t) s->plugin_data[p->index];
-    char *buf, *out;
+    char *buf = NULL, *out = NULL;
     int buflen, outlen, ret;
 
     /* decode the response */
@@ -760,8 +760,15 @@
     /* process the data */
     if(mech != NULL)
         ret = sasl_server_start(sd->sasl, mech, buf, buflen, (const char **) &out, &outlen);
-    else
+    else {
+        if(!sd->sasl) {
+            _sx_debug(ZONE, "response send before auth request enabling mechanism (decoded: %.*s)", buflen, buf);
+            _sx_nad_write(s, _sx_sasl_failure(s, _sasl_err_MECH_TOO_WEAK), 0);
+            if(buf != NULL) free(buf);
+            return;
+        }
         ret = sasl_server_step(sd->sasl, buf, buflen, (const char **) &out, &outlen);
+    }
 
     if(buf != NULL) free(buf);
 
Index: sx/sasl_gsasl.c
===================================================================
--- sx/sasl_gsasl.c	(revision 351)
+++ sx/sasl_gsasl.c	(working copy)
@@ -349,16 +349,14 @@
     else {
         /* decode and process */
         _sx_sasl_decode(in, inlen, &buf, &buflen);
-        _sx_debug(ZONE, "response from client (decoded: %.*s)", buflen, buf);
-        ret = gsasl_step(sd, buf, buflen, &out, (size_t *) &outlen);
-        if(ret != GSASL_OK && ret != GSASL_NEEDS_MORE) {
-            _sx_debug(ZONE, "gsasl_step failed, no sasl for this conn; (%d): %s", ret, gsasl_strerror(ret));
-            _sx_nad_write(s, _sx_sasl_failure(s, _sasl_err_MALFORMED_REQUEST), 0);
-            if(out != NULL) free(out);
+        if(!sd) {
+            _sx_debug(ZONE, "response send before auth request enabling mechanism (decoded: %.*s)", buflen, buf);
+            _sx_nad_write(s, _sx_sasl_failure(s, _sasl_err_MECH_TOO_WEAK), 0);
             if(buf != NULL) free(buf);
             return;
         }
-
+        _sx_debug(ZONE, "response from client (decoded: %.*s)", buflen, buf);
+        ret = gsasl_step(sd, buf, buflen, &out, (size_t *) &outlen);
     }
 
     if(buf != NULL) free(buf);
Index: sx/sasl_scod.c
===================================================================
--- sx/sasl_scod.c	(revision 349)
+++ sx/sasl_scod.c	(working copy)
@@ -258,10 +258,15 @@
     }
 
     else {
-        _sx_debug(ZONE, "response from client");
-
         /* decode and process */
         _sx_sasl_decode(in, inlen, &buf, &buflen);
+        if(!sd) {
+            _sx_debug(ZONE, "response send before auth request enabling mechanism (decoded: %.*s)", buflen, buf);
+            _sx_nad_write(s, _sx_sasl_failure(s, _sasl_err_MECH_TOO_WEAK), 0);
+            if(buf != NULL) free(buf);
+            return;
+        }
+        _sx_debug(ZONE, "response from client (decoded: %.*s)", buflen, buf);
         ret = scod_server_step(sd, buf, buflen, &out, &outlen);
     }
 
