geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dain Sundstrom <d...@iq80.com>
Subject Re: SMTP Authentication
Date Wed, 07 Dec 2005 19:02:55 GMT
The best comparison char I could find on this is http:// 
members.elysium.pl/brush/smtp-auth/server.html and it from 23.10.2000  
so about 5 years old.  Anyway, it looks like if we can get LOGIN,  
PLAIN, CRAM-MD5 and DIGEST-MD5 working with start tls, we will have  
the basics covered.

-dain

On Dec 7, 2005, at 9:45 AM, Rick McGuire wrote:

> Sasl is the challenge/response algorithm for simple server  
> authentication (Simple Authentication and Security Layer).  The  
> SMTP spec on authentication defines everything in terms of SASL  
> operations (http://www.networksorcery.com/enp/rfc/rfc2554.txt).   
> Even PLAIN and LOGIN are SASL operations.  The Java SASL API added  
> in 5.0 provides a nice extendable framework for SASL operations  
> with support for a lot more than the simple operations.  http:// 
> java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
>
> Using the SASL APIs is very nice, as would allow Geronimo to  
> support almost anything a server would throw at as for free, as  
> long it was a mechanism supported by the security provider  
> implementation.
> Anyway, I've got code for LOGIN and PLAIN already written, and am  
> almost done with a CRAM-MD5 version.  This sounds like it will be  
> sufficient for the short term.
>
> Rick
>
> Dain Sundstrom wrote:
>
>> From my experience, most servers and clients are just using LOGIN   
>> and PLAIN with TLS sometimes.  I'm not very familiar with Sasl;  
>> can  you explain how it fits into a mail client or server?
>>
>> Thanks,
>>
>> -dain
>>
>> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
>>
>>> I've looking at the issues of doing SMTP authentication, and  
>>> after  reading the SMTP spec, starting coding up a solution using  
>>> the Java  Sasl API, which was doing most of the heavy lifting for  
>>> me.  This  morning, however, I finally noticed the critical words  
>>> in the Sasl  Javadoc...."since Java 1.5".  Since we're not in a  
>>> position to  support Java 1.5 yet, that definitely tossed a speed  
>>> bump in my path.
>>> LOGIN and PLAIN authentication are pretty simple to do without   
>>> Sasl, and I believe I can also figure out how to do CRAM_MD5.    
>>> Other forms of authentication are probably a bit beyond my  
>>> current  experience with crypto/security.  How sophisticated do  
>>> we need to  be with this?  Are LOGIN and PLAIN sufficient  
>>> (combined with TLS  support)?  Note that this question also  
>>> applies to the POP3 and  IMAP implementations, since they also  
>>> use Sasl authentication  mechanisms.
>>>
>>> Rick
>>
>>
>>


Mime
View raw message