Open Bug 1503382 Opened 7 years ago Updated 7 months ago

SCRAM IMAP authentication support

Categories

(MailNews Core :: Networking: IMAP, enhancement)

Product:
MailNews Core
Component:
Networking: IMAP
Type:
enhancement

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: ntninja, Unassigned)

References

Details

After looking at the available authentication methods in “Account Settings” → “Sever Settings” only “Encrypted Password” looked like it could also include SCRAM, but looking at the code[1] makes it pretty clear that this only means CRAM-MD5. Meaning that there is no modern password-less (in terms of transport at least) authentication method available in Thunderbird. The only standard for currently available is SCRAM and at least the following variations should be supported: SCRAM-SHA1 (because it's mandated by the spec and is only one with real deployments), SCRAM-SHA256 & SCRAM-SHA512 – they are all the same except for the hash function used in the KDF. Since Thunderbird got support for SCRAM for XMPP since version 52, the code for that may be reusable. (To clarify: This is an additional layer for security, not a competitor or replacement for TLS!) [1]: https://dxr.mozilla.org/thunderbird/source/mailnews/imap/src/nsImapProtocol.cpp#5086
Component: Security → Networking: IMAP
Product: Thunderbird → MailNews Core
Severity: normal → enhancement
Thanks for triaging! Some questions for working on this: Do you think any code sharing is possible with the XMPP SCRAM component? Would the function linked in my first comment (nsImapProtocol::AuthLogin) be the correct place to add such functionality?
The XMPP implementation seems to be here: https://searchfox.org/comm-central/source/chat/protocols/xmpp/xmpp-authmechs.jsm#310 - code sharing, possibly if you extract that and acceess it through an interface. The place in nsImapProtocol looked about right.
Thank you! I looked through the code you linked and since it's generic over the underlying SASL transport extracting it as a generic component should not be too hard. However I'd need some guidance on how to create a C++ accessible interface from JavaScript. From what I remember of the classic extension days, one needs to define an .idl file and compile it to some other format. Also the class needs to be registered somehow. Is there an document (or another bug report maybe?) somewhere to describe the general process on how to do this as part of Mozilla source code?
Not sure there's a guide unfortunately. You could look at mimeJSComponents.js https://searchfox.org/comm-central/source/mailnews/mime/src/mimeJSComponents.js#504, nsIMimeConverter (https://searchfox.org/comm-central/search?q=nsIMimeConverter&path=) for some inspiration. (It's a more complicated case...)
SCRAM authentication could also be added to SMTP (when implemented for IMAP)

Any news for it?
There is a ticket for XMPP too: https://bugzilla.mozilla.org/show_bug.cgi?id=1577688.

Please note that SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS), and SCRAM-SHA-512(-PLUS) are in Cyrus SASL: https://github.com/cyrusimap/cyrus-sasl/commits/master

About -PLUS variants, Channel-Binding Support is needed in NSS: https://bugzilla.mozilla.org/show_bug.cgi?id=563276

It is already done for XMPP:

SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS are missing because https://bugzilla.mozilla.org/show_bug.cgi?id=563276

Tickets:

RFCs:

IANA:

Cyrus SASL supports:

Dovecot SASL supports:

GNU SASL supports:

CRAM-MD5 to Historic:

RFC6331: Moving DIGEST-MD5 to Historic

More informations:

After old TLS version, for TLS 1.3, there is: https://tools.ietf.org/html/draft-ietf-kitten-tls-channel-bindings-for-tls13

And there are other SCRAM too:

Dovecot supports SCRAM-SHA-256 as of version 2.3.10.

See Also: → 1597103

Hello all,

Happy New Year 2022!

I see a good news here: https://www.linkedin.com/posts/ryanleesipes_in-2017-i-joined-the-thunderbird-team-as-ugcPost-6880457591319867392-SImO/

I think it is time to look about SCRAM hash passwords for POP/IMAP/SMTP/LDAP and Mozilla Thunderbird?

It is already done for XMPP with SCRAM-SHA-1 and SCRAM-SHA-256:

For example, already in:

It is specified in ESET help: https://help.eset.com/era_admin/64/en-US/index.html?smtp_server.htm
It is specified in IONOS help: https://www.ionos.fr/digitalguide/email/aspects-techniques/authentification-smtp/

You can look a big list here:

Google search:

Thanks in advance.

Severity: normal → S3

I would like to know the update about support of SCRAM-SHA-256 because I consider implementing of authentication of SMTP or IMAP server.
Could you please let me know if the latest Thunderbird is able to use SCRAM-SHA-256?

(In reply to Harry from comment #14)

I would like to know the update about support of SCRAM-SHA-256 because I consider implementing of authentication of SMTP or IMAP server.
Could you please let me know if the latest Thunderbird is able to use SCRAM-SHA-256?

Don't bother ... This request is 6 years old and as much as I want to use that auth too (cyrus-sasl that dovecot and postfix uses, supports it out of the box) there's not much chance of getting it done it seems.

Same applies to DANE records enforcement, which Fairemail (imo the best android email client) started supporting, after I've convinced its creator to implement it.

Sad state of affairs, but it is what it is.

(In reply to Harry from comment #14)

Could you please let me know if the latest Thunderbird is able to use SCRAM-SHA-256?

No indeed, as far as I know. Thunderbird shows an "encrypted password" authentication mechanism in its UI, but it is CRAM-MD5, which is very old.
See the code, https://github.com/search?q=repo%3Amozilla%2Freleases-comm-central+cram-md5&type=code&p=1 and https://github.com/search?q=repo%3Amozilla%2Freleases-comm-central+scram-sha-1&type=code.

If you're looking for more mail clients to test a server-side scram implementation: mutt supports it (I think also PLUS, but I did run into issues), claws mail too, and emclient supported scram-sha1 last time I checked.

FWIW, I implemented scram-sha-{1,256}{,-plus} in mox (mail server) for SMTP (submission) and IMAP. Feel free to contact me if you want to discuss.

For clients, it can be tricky to find the right authentication mechanism: Autoconfig mechanisms can't currently pinpoint which auth mechanism to use for an account. A server can implement a mechanism (in code), but not support it for an account. E.g. for scram-sha* it needs to derive secrets from a password to use during authentication. If you have existing accounts, and you update your server software, the server cannot typically derive those secrets. SMTP/IMAP don't have a way to indicate that a mechanism won't work for a given account. The authentication attempt for a mechanism will just fail. Clients may have to try multiple during account setup. That can cause several authentication failures, which can cause a server to slowdown or block a client for a while. Not great user experience. Could be part of the reason that it's not implemented. Of course, getting cram-md5 is also a very bad user experience, but only for the users that know it's happening... (:

(In reply to László Károlyi from comment #15)

Don't bother ... This request is 6 years old and as much as I want to use that auth too (cyrus-sasl that dovecot and postfix uses, supports it out of the box) there's not much chance of getting it done it seems.

Since the CRAM-MD5 has a vulnerability, I was thinking about the use of SCRAM-SHA-256.
I will consider use of PLAIN authentication between TLS connections because of the use in limited environments.

Thanks a lot.

@harry, @laszlo, @mjl: Thanks for your recent comments :)

I always hope that SCRAM-SHA-* will be added in Mozilla Thunderbird and K-9.
I really hope that unsecure and obsolete CRAM-MD5 will be removed, and DIGEST-MD5 too.

Cyrus SASL/IMAPd, Dovecot, mox, etc.

A list of SCRAM supported softwares is here:

Security is very important!

Note: SCRAM is supported for XMPP in Mozilla Thunderbird but not for POP/IMAP/SMTP/LDAP.

Dear Mozilla Team,

Good news, the recent Dovecot 2.4.0 has SCRAM-SHA-1-PLUS/SCRAM-SHA-256-PLUS supports in more SCRAM-SHA-1/SCRAM-SHA-256. It arrives after Exim, indimail-mta, msmtp, mpop, ...

It is possible to add in Mozilla Thunderbird / Thunderbird Mobile / K-9 Mail included of course.

Several years ago, SCRAM-SHA-1 and SCRAM-SHA-256 have been added for XMPP but not for POP3/IMAP/SMTP/LDAP.

All list is here:

Thanks in advance.

FWIW, as a user of Thunderbird I really do miss SCRAM (with PLUS) support. I am the developer of mox, a mail server (https://github.com/mjl-/mox) which includes SASL SCRAM support. Sending passwords to an SMTP/IMAP server is not great and CRAM-MD5 is not good enough either. Also, TLS channel binding is important, see https://notes.valdikss.org.ru/jabber.ru-mitm/ and the section "Could you prevent or monitor this kind of attack?", which includes this line: "Channel binding" is a feature in XMPP which can detect a MiTM even if the interceptor present a valid certificate. Both the client and the server must support SCRAM PLUS authentication mechanisms for this to work. Unfortunately this was not active on jabber.ru at the time of the attack.

You need to log in before you can comment on or make changes to this bug.