geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <l...@toolazydogs.com>
Subject Re: SMTP Authentication
Date Thu, 15 Dec 2005 23:00:06 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cryptix seems to have an impl.  I haven't looked at it.


Regards,
Alan

Rick McGuire wrote, On 12/7/2005 9:45 AM:
> Sasl is the challenge/response algorithm for simple server
> authentication (Simple Authentication and Security Layer).  The SMTP
> spec on authentication defines everything in terms of SASL operations
> (http://www.networksorcery.com/enp/rfc/rfc2554.txt).  Even PLAIN and
> LOGIN are SASL operations.  The Java SASL API added in 5.0 provides a
> nice extendable framework for SASL operations with support for a lot
> more than the simple operations. 
> http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
> 
> Using the SASL APIs is very nice, as would allow Geronimo to support
> almost anything a server would throw at as for free, as long it was a
> mechanism supported by the security provider implementation.
> Anyway, I've got code for LOGIN and PLAIN already written, and am almost
> done with a CRAM-MD5 version.  This sounds like it will be sufficient
> for the short term.
> 
> Rick
> 
> Dain Sundstrom wrote:
> 
>> From my experience, most servers and clients are just using LOGIN  and
>> PLAIN with TLS sometimes.  I'm not very familiar with Sasl; can  you
>> explain how it fits into a mail client or server?
>>
>> Thanks,
>>
>> -dain
>>
>> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>>
>>> I've looking at the issues of doing SMTP authentication, and after 
>>> reading the SMTP spec, starting coding up a solution using the Java 
>>> Sasl API, which was doing most of the heavy lifting for me.  This 
>>> morning, however, I finally noticed the critical words in the Sasl 
>>> Javadoc...."since Java 1.5".  Since we're not in a position to 
>>> support Java 1.5 yet, that definitely tossed a speed bump in my path.
>>> LOGIN and PLAIN authentication are pretty simple to do without  Sasl,
>>> and I believe I can also figure out how to do CRAM_MD5.   Other forms
>>> of authentication are probably a bit beyond my current  experience
>>> with crypto/security.  How sophisticated do we need to  be with
>>> this?  Are LOGIN and PLAIN sufficient (combined with TLS  support)? 
>>> Note that this question also applies to the POP3 and  IMAP
>>> implementations, since they also use Sasl authentication  mechanisms.
>>>
>>> Rick
>>
>>
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDofV21xC6qnMLUpYRAjBIAJ4vv7iiqwlnKuvWoEF1N/UDxixW1QCePqYa
NQwPsbO/tyqZtMc4XWPzUfM=
=YCJs
-----END PGP SIGNATURE-----


Mime
View raw message