geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bilal Bhatti" <bi...@neelo.com>
Subject Re: SMTP Authentication
Date Wed, 07 Dec 2005 18:18:23 GMT
on that note, what are the authentication requirements for IMAP. I know
how to authenticate with SSLv3 and TLS, in addition to plain. What are
mechanisms we need to support?

bilal

> Sasl is the challenge/response algorithm for simple server
> authentication (Simple Authentication and Security Layer).  The SMTP
> spec on authentication defines everything in terms of SASL operations
> (http://www.networksorcery.com/enp/rfc/rfc2554.txt).  Even PLAIN and
> LOGIN are SASL operations.  The Java SASL API added in 5.0 provides a
> nice extendable framework for SASL operations with support for a lot
> more than the simple operations.
> http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
>
> Using the SASL APIs is very nice, as would allow Geronimo to support
> almost anything a server would throw at as for free, as long it was a
> mechanism supported by the security provider implementation.
>
> Anyway, I've got code for LOGIN and PLAIN already written, and am almost
> done with a CRAM-MD5 version.  This sounds like it will be sufficient
> for the short term.
>
> Rick
>
> Dain Sundstrom wrote:
>
>> From my experience, most servers and clients are just using LOGIN  and
>> PLAIN with TLS sometimes.  I'm not very familiar with Sasl; can  you
>> explain how it fits into a mail client or server?
>>
>> Thanks,
>>
>> -dain
>>
>> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>>
>>> I've looking at the issues of doing SMTP authentication, and after
>>> reading the SMTP spec, starting coding up a solution using the Java
>>> Sasl API, which was doing most of the heavy lifting for me.  This
>>> morning, however, I finally noticed the critical words in the Sasl
>>> Javadoc...."since Java 1.5".  Since we're not in a position to
>>> support Java 1.5 yet, that definitely tossed a speed bump in my path.
>>> LOGIN and PLAIN authentication are pretty simple to do without  Sasl,
>>> and I believe I can also figure out how to do CRAM_MD5.   Other forms
>>> of authentication are probably a bit beyond my current  experience
>>> with crypto/security.  How sophisticated do we need to  be with
>>> this?  Are LOGIN and PLAIN sufficient (combined with TLS  support)?
>>> Note that this question also applies to the POP3 and  IMAP
>>> implementations, since they also use Sasl authentication  mechanisms.
>>>
>>> Rick
>>
>>
>>
>


-- bilal

-----
"We act as though comfort and luxury were the chief requirements of life,
when all that we need to make us happy is something to be enthusiastic
about." - Einstein


Mime
View raw message