You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Rick McGuire <ri...@gmail.com> on 2005/12/07 17:37:17 UTC
SMTP Authentication
I've looking at the issues of doing SMTP authentication, and after
reading the SMTP spec, starting coding up a solution using the Java Sasl
API, which was doing most of the heavy lifting for me. This morning,
however, I finally noticed the critical words in the Sasl
Javadoc...."since Java 1.5". Since we're not in a position to support
Java 1.5 yet, that definitely tossed a speed bump in my path.
LOGIN and PLAIN authentication are pretty simple to do without Sasl, and
I believe I can also figure out how to do CRAM_MD5. Other forms of
authentication are probably a bit beyond my current experience with
crypto/security. How sophisticated do we need to be with this? Are
LOGIN and PLAIN sufficient (combined with TLS support)? Note that this
question also applies to the POP3 and IMAP implementations, since they
also use Sasl authentication mechanisms.
Rick
Re: SMTP Authentication
Posted by Dain Sundstrom <da...@iq80.com>.
The best comparison char I could find on this is http://
members.elysium.pl/brush/smtp-auth/server.html and it from 23.10.2000
so about 5 years old. Anyway, it looks like if we can get LOGIN,
PLAIN, CRAM-MD5 and DIGEST-MD5 working with start tls, we will have
the basics covered.
-dain
On Dec 7, 2005, at 9:45 AM, Rick McGuire wrote:
> Sasl is the challenge/response algorithm for simple server
> authentication (Simple Authentication and Security Layer). The
> SMTP spec on authentication defines everything in terms of SASL
> operations (http://www.networksorcery.com/enp/rfc/rfc2554.txt).
> Even PLAIN and LOGIN are SASL operations. The Java SASL API added
> in 5.0 provides a nice extendable framework for SASL operations
> with support for a lot more than the simple operations. http://
> java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
>
> Using the SASL APIs is very nice, as would allow Geronimo to
> support almost anything a server would throw at as for free, as
> long it was a mechanism supported by the security provider
> implementation.
> Anyway, I've got code for LOGIN and PLAIN already written, and am
> almost done with a CRAM-MD5 version. This sounds like it will be
> sufficient for the short term.
>
> Rick
>
> Dain Sundstrom wrote:
>
>> From my experience, most servers and clients are just using LOGIN
>> and PLAIN with TLS sometimes. I'm not very familiar with Sasl;
>> can you explain how it fits into a mail client or server?
>>
>> Thanks,
>>
>> -dain
>>
>> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>>
>>> I've looking at the issues of doing SMTP authentication, and
>>> after reading the SMTP spec, starting coding up a solution using
>>> the Java Sasl API, which was doing most of the heavy lifting for
>>> me. This morning, however, I finally noticed the critical words
>>> in the Sasl Javadoc...."since Java 1.5". Since we're not in a
>>> position to support Java 1.5 yet, that definitely tossed a speed
>>> bump in my path.
>>> LOGIN and PLAIN authentication are pretty simple to do without
>>> Sasl, and I believe I can also figure out how to do CRAM_MD5.
>>> Other forms of authentication are probably a bit beyond my
>>> current experience with crypto/security. How sophisticated do
>>> we need to be with this? Are LOGIN and PLAIN sufficient
>>> (combined with TLS support)? Note that this question also
>>> applies to the POP3 and IMAP implementations, since they also
>>> use Sasl authentication mechanisms.
>>>
>>> Rick
>>
>>
>>
Re: SMTP Authentication
Posted by "Alan D. Cabrera" <li...@toolazydogs.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cryptix seems to have an impl. I haven't looked at it.
Regards,
Alan
Rick McGuire wrote, On 12/7/2005 9:45 AM:
> Sasl is the challenge/response algorithm for simple server
> authentication (Simple Authentication and Security Layer). The SMTP
> spec on authentication defines everything in terms of SASL operations
> (http://www.networksorcery.com/enp/rfc/rfc2554.txt). Even PLAIN and
> LOGIN are SASL operations. The Java SASL API added in 5.0 provides a
> nice extendable framework for SASL operations with support for a lot
> more than the simple operations.
> http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
>
> Using the SASL APIs is very nice, as would allow Geronimo to support
> almost anything a server would throw at as for free, as long it was a
> mechanism supported by the security provider implementation.
> Anyway, I've got code for LOGIN and PLAIN already written, and am almost
> done with a CRAM-MD5 version. This sounds like it will be sufficient
> for the short term.
>
> Rick
>
> Dain Sundstrom wrote:
>
>> From my experience, most servers and clients are just using LOGIN and
>> PLAIN with TLS sometimes. I'm not very familiar with Sasl; can you
>> explain how it fits into a mail client or server?
>>
>> Thanks,
>>
>> -dain
>>
>> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>>
>>> I've looking at the issues of doing SMTP authentication, and after
>>> reading the SMTP spec, starting coding up a solution using the Java
>>> Sasl API, which was doing most of the heavy lifting for me. This
>>> morning, however, I finally noticed the critical words in the Sasl
>>> Javadoc...."since Java 1.5". Since we're not in a position to
>>> support Java 1.5 yet, that definitely tossed a speed bump in my path.
>>> LOGIN and PLAIN authentication are pretty simple to do without Sasl,
>>> and I believe I can also figure out how to do CRAM_MD5. Other forms
>>> of authentication are probably a bit beyond my current experience
>>> with crypto/security. How sophisticated do we need to be with
>>> this? Are LOGIN and PLAIN sufficient (combined with TLS support)?
>>> Note that this question also applies to the POP3 and IMAP
>>> implementations, since they also use Sasl authentication mechanisms.
>>>
>>> Rick
>>
>>
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDofV21xC6qnMLUpYRAjBIAJ4vv7iiqwlnKuvWoEF1N/UDxixW1QCePqYa
NQwPsbO/tyqZtMc4XWPzUfM=
=YCJs
-----END PGP SIGNATURE-----
Re: SMTP Authentication
Posted by Bilal Bhatti <bi...@neelo.com>.
on that note, what are the authentication requirements for IMAP. I know
how to authenticate with SSLv3 and TLS, in addition to plain. What are
mechanisms we need to support?
bilal
> Sasl is the challenge/response algorithm for simple server
> authentication (Simple Authentication and Security Layer). The SMTP
> spec on authentication defines everything in terms of SASL operations
> (http://www.networksorcery.com/enp/rfc/rfc2554.txt). Even PLAIN and
> LOGIN are SASL operations. The Java SASL API added in 5.0 provides a
> nice extendable framework for SASL operations with support for a lot
> more than the simple operations.
> http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
>
> Using the SASL APIs is very nice, as would allow Geronimo to support
> almost anything a server would throw at as for free, as long it was a
> mechanism supported by the security provider implementation.
>
> Anyway, I've got code for LOGIN and PLAIN already written, and am almost
> done with a CRAM-MD5 version. This sounds like it will be sufficient
> for the short term.
>
> Rick
>
> Dain Sundstrom wrote:
>
>> From my experience, most servers and clients are just using LOGIN and
>> PLAIN with TLS sometimes. I'm not very familiar with Sasl; can you
>> explain how it fits into a mail client or server?
>>
>> Thanks,
>>
>> -dain
>>
>> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>>
>>> I've looking at the issues of doing SMTP authentication, and after
>>> reading the SMTP spec, starting coding up a solution using the Java
>>> Sasl API, which was doing most of the heavy lifting for me. This
>>> morning, however, I finally noticed the critical words in the Sasl
>>> Javadoc...."since Java 1.5". Since we're not in a position to
>>> support Java 1.5 yet, that definitely tossed a speed bump in my path.
>>> LOGIN and PLAIN authentication are pretty simple to do without Sasl,
>>> and I believe I can also figure out how to do CRAM_MD5. Other forms
>>> of authentication are probably a bit beyond my current experience
>>> with crypto/security. How sophisticated do we need to be with
>>> this? Are LOGIN and PLAIN sufficient (combined with TLS support)?
>>> Note that this question also applies to the POP3 and IMAP
>>> implementations, since they also use Sasl authentication mechanisms.
>>>
>>> Rick
>>
>>
>>
>
-- bilal
-----
"We act as though comfort and luxury were the chief requirements of life,
when all that we need to make us happy is something to be enthusiastic
about." - Einstein
Re: SMTP Authentication
Posted by Rick McGuire <ri...@gmail.com>.
Sasl is the challenge/response algorithm for simple server
authentication (Simple Authentication and Security Layer). The SMTP
spec on authentication defines everything in terms of SASL operations
(http://www.networksorcery.com/enp/rfc/rfc2554.txt). Even PLAIN and
LOGIN are SASL operations. The Java SASL API added in 5.0 provides a
nice extendable framework for SASL operations with support for a lot
more than the simple operations.
http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
Using the SASL APIs is very nice, as would allow Geronimo to support
almost anything a server would throw at as for free, as long it was a
mechanism supported by the security provider implementation.
Anyway, I've got code for LOGIN and PLAIN already written, and am almost
done with a CRAM-MD5 version. This sounds like it will be sufficient
for the short term.
Rick
Dain Sundstrom wrote:
> From my experience, most servers and clients are just using LOGIN and
> PLAIN with TLS sometimes. I'm not very familiar with Sasl; can you
> explain how it fits into a mail client or server?
>
> Thanks,
>
> -dain
>
> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>
>> I've looking at the issues of doing SMTP authentication, and after
>> reading the SMTP spec, starting coding up a solution using the Java
>> Sasl API, which was doing most of the heavy lifting for me. This
>> morning, however, I finally noticed the critical words in the Sasl
>> Javadoc...."since Java 1.5". Since we're not in a position to
>> support Java 1.5 yet, that definitely tossed a speed bump in my path.
>> LOGIN and PLAIN authentication are pretty simple to do without Sasl,
>> and I believe I can also figure out how to do CRAM_MD5. Other forms
>> of authentication are probably a bit beyond my current experience
>> with crypto/security. How sophisticated do we need to be with
>> this? Are LOGIN and PLAIN sufficient (combined with TLS support)?
>> Note that this question also applies to the POP3 and IMAP
>> implementations, since they also use Sasl authentication mechanisms.
>>
>> Rick
>
>
>
Re: SMTP Authentication
Posted by Dain Sundstrom <da...@iq80.com>.
From my experience, most servers and clients are just using LOGIN
and PLAIN with TLS sometimes. I'm not very familiar with Sasl; can
you explain how it fits into a mail client or server?
Thanks,
-dain
On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
> I've looking at the issues of doing SMTP authentication, and after
> reading the SMTP spec, starting coding up a solution using the Java
> Sasl API, which was doing most of the heavy lifting for me. This
> morning, however, I finally noticed the critical words in the Sasl
> Javadoc...."since Java 1.5". Since we're not in a position to
> support Java 1.5 yet, that definitely tossed a speed bump in my path.
> LOGIN and PLAIN authentication are pretty simple to do without
> Sasl, and I believe I can also figure out how to do CRAM_MD5.
> Other forms of authentication are probably a bit beyond my current
> experience with crypto/security. How sophisticated do we need to
> be with this? Are LOGIN and PLAIN sufficient (combined with TLS
> support)? Note that this question also applies to the POP3 and
> IMAP implementations, since they also use Sasl authentication
> mechanisms.
>
> Rick