Open Bug 1503382 Opened 6 years ago Updated 4 months ago

SCRAM IMAP authentication support

Categories

(MailNews Core :: Networking: IMAP, enhancement)

Product:
MailNews Core
Component:
Networking: IMAP
Type:
enhancement

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: alexander-mozilla, Unassigned)

References

Details

After looking at the available authentication methods in “Account Settings” → “Sever Settings” only “Encrypted Password” looked like it could also include SCRAM, but looking at the code[1] makes it pretty clear that this only means CRAM-MD5.

Meaning that there is no modern password-less (in terms of transport at least) authentication method available in Thunderbird. The only standard for currently available is SCRAM and at least the following variations should be supported: SCRAM-SHA1 (because it's mandated by the spec and is only one with real deployments), SCRAM-SHA256 & SCRAM-SHA512 – they are all the same except for the hash function used in the KDF.
Since Thunderbird got support for SCRAM for XMPP since version 52, the code for that may be reusable.

(To clarify: This is an additional layer for security, not a competitor or replacement for TLS!)


  [1]: https://dxr.mozilla.org/thunderbird/source/mailnews/imap/src/nsImapProtocol.cpp#5086
Component: Security → Networking: IMAP
Product: Thunderbird → MailNews Core
Severity: normal → enhancement
Thanks for triaging!

Some questions for working on this:
Do you think any code sharing is possible with the XMPP SCRAM component?
Would the function linked in my first comment (nsImapProtocol::AuthLogin) be the correct place to add such functionality?
The XMPP implementation seems to be here: https://searchfox.org/comm-central/source/chat/protocols/xmpp/xmpp-authmechs.jsm#310 - code sharing, possibly if you extract that and acceess it through an interface.

The place in nsImapProtocol looked about right.
Thank you! I looked through the code you linked and since it's generic over the underlying SASL transport extracting it as a generic component should not be too hard.
However I'd need some guidance on how to create a C++ accessible interface from JavaScript. From what I remember of the classic extension days, one needs to define an .idl file and compile it to some other format. Also the class needs to be registered somehow. Is there an document (or another bug report maybe?) somewhere to describe the general process on how to do this as part of Mozilla source code?
Not sure there's a guide unfortunately. 

You could look at mimeJSComponents.js https://searchfox.org/comm-central/source/mailnews/mime/src/mimeJSComponents.js#504, nsIMimeConverter (https://searchfox.org/comm-central/search?q=nsIMimeConverter&path=) for some inspiration. (It's a more complicated case...)
SCRAM authentication could also be added to SMTP (when implemented for IMAP)

Any news for it?
There is a ticket for XMPP too: https://bugzilla.mozilla.org/show_bug.cgi?id=1577688.

Please note that SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS), and SCRAM-SHA-512(-PLUS) are in Cyrus SASL: https://github.com/cyrusimap/cyrus-sasl/commits/master

About -PLUS variants, Channel-Binding Support is needed in NSS: https://bugzilla.mozilla.org/show_bug.cgi?id=563276

It is already done for XMPP:

SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS are missing because https://bugzilla.mozilla.org/show_bug.cgi?id=563276

Tickets:

RFCs:

IANA:

Cyrus SASL supports:

Dovecot SASL supports:

GNU SASL supports:

CRAM-MD5 to Historic:

RFC6331: Moving DIGEST-MD5 to Historic

More informations:

After old TLS version, for TLS 1.3, there is: https://tools.ietf.org/html/draft-ietf-kitten-tls-channel-bindings-for-tls13

And there are other SCRAM too:

Dovecot supports SCRAM-SHA-256 as of version 2.3.10.

See Also: → 1597103

Hello all,

Happy New Year 2022!

I see a good news here: https://www.linkedin.com/posts/ryanleesipes_in-2017-i-joined-the-thunderbird-team-as-ugcPost-6880457591319867392-SImO/

I think it is time to look about SCRAM hash passwords for POP/IMAP/SMTP/LDAP and Mozilla Thunderbird?

It is already done for XMPP with SCRAM-SHA-1 and SCRAM-SHA-256:

For example, already in:

It is specified in ESET help: https://help.eset.com/era_admin/64/en-US/index.html?smtp_server.htm
It is specified in IONOS help: https://www.ionos.fr/digitalguide/email/aspects-techniques/authentification-smtp/

You can look a big list here:

Google search:

Thanks in advance.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.