geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick McGuire <rick...@gmail.com>
Subject Re: SMTP Authentication
Date Wed, 07 Dec 2005 17:45:20 GMT
Sasl is the challenge/response algorithm for simple server 
authentication (Simple Authentication and Security Layer).  The SMTP 
spec on authentication defines everything in terms of SASL operations 
(http://www.networksorcery.com/enp/rfc/rfc2554.txt).  Even PLAIN and 
LOGIN are SASL operations.  The Java SASL API added in 5.0 provides a 
nice extendable framework for SASL operations with support for a lot 
more than the simple operations.  
http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.

Using the SASL APIs is very nice, as would allow Geronimo to support 
almost anything a server would throw at as for free, as long it was a 
mechanism supported by the security provider implementation. 

Anyway, I've got code for LOGIN and PLAIN already written, and am almost 
done with a CRAM-MD5 version.  This sounds like it will be sufficient 
for the short term.

Rick

Dain Sundstrom wrote:

> From my experience, most servers and clients are just using LOGIN  and 
> PLAIN with TLS sometimes.  I'm not very familiar with Sasl; can  you 
> explain how it fits into a mail client or server?
>
> Thanks,
>
> -dain
>
> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>
>> I've looking at the issues of doing SMTP authentication, and after  
>> reading the SMTP spec, starting coding up a solution using the Java  
>> Sasl API, which was doing most of the heavy lifting for me.  This  
>> morning, however, I finally noticed the critical words in the Sasl  
>> Javadoc...."since Java 1.5".  Since we're not in a position to  
>> support Java 1.5 yet, that definitely tossed a speed bump in my path.
>> LOGIN and PLAIN authentication are pretty simple to do without  Sasl, 
>> and I believe I can also figure out how to do CRAM_MD5.   Other forms 
>> of authentication are probably a bit beyond my current  experience 
>> with crypto/security.  How sophisticated do we need to  be with 
>> this?  Are LOGIN and PLAIN sufficient (combined with TLS  support)?  
>> Note that this question also applies to the POP3 and  IMAP 
>> implementations, since they also use Sasl authentication  mechanisms.
>>
>> Rick
>
>
>


Mime
View raw message