SCRAM IMAP authentication support
Categories
(MailNews Core :: Networking: IMAP, enhancement)
Tracking
(Not tracked)
People
(Reporter: alexander-mozilla, Unassigned)
References
Details
After looking at the available authentication methods in “Account Settings” → “Sever Settings” only “Encrypted Password” looked like it could also include SCRAM, but looking at the code[1] makes it pretty clear that this only means CRAM-MD5. Meaning that there is no modern password-less (in terms of transport at least) authentication method available in Thunderbird. The only standard for currently available is SCRAM and at least the following variations should be supported: SCRAM-SHA1 (because it's mandated by the spec and is only one with real deployments), SCRAM-SHA256 & SCRAM-SHA512 – they are all the same except for the hash function used in the KDF. Since Thunderbird got support for SCRAM for XMPP since version 52, the code for that may be reusable. (To clarify: This is an additional layer for security, not a competitor or replacement for TLS!) [1]: https://dxr.mozilla.org/thunderbird/source/mailnews/imap/src/nsImapProtocol.cpp#5086
Updated•6 years ago
|
Updated•6 years ago
|
Thanks for triaging! Some questions for working on this: Do you think any code sharing is possible with the XMPP SCRAM component? Would the function linked in my first comment (nsImapProtocol::AuthLogin) be the correct place to add such functionality?
Comment 2•6 years ago
|
||
The XMPP implementation seems to be here: https://searchfox.org/comm-central/source/chat/protocols/xmpp/xmpp-authmechs.jsm#310 - code sharing, possibly if you extract that and acceess it through an interface. The place in nsImapProtocol looked about right.
Thank you! I looked through the code you linked and since it's generic over the underlying SASL transport extracting it as a generic component should not be too hard. However I'd need some guidance on how to create a C++ accessible interface from JavaScript. From what I remember of the classic extension days, one needs to define an .idl file and compile it to some other format. Also the class needs to be registered somehow. Is there an document (or another bug report maybe?) somewhere to describe the general process on how to do this as part of Mozilla source code?
Comment 4•6 years ago
|
||
Not sure there's a guide unfortunately. You could look at mimeJSComponents.js https://searchfox.org/comm-central/source/mailnews/mime/src/mimeJSComponents.js#504, nsIMimeConverter (https://searchfox.org/comm-central/search?q=nsIMimeConverter&path=) for some inspiration. (It's a more complicated case...)
SCRAM authentication could also be added to SMTP (when implemented for IMAP)
Comment 6•5 years ago
|
||
Any news for it?
There is a ticket for XMPP too: https://bugzilla.mozilla.org/show_bug.cgi?id=1577688.
Comment 7•5 years ago
|
||
Please note that SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS), and SCRAM-SHA-512(-PLUS) are in Cyrus SASL: https://github.com/cyrusimap/cyrus-sasl/commits/master
Comment 8•5 years ago
|
||
About -PLUS variants, Channel-Binding Support is needed in NSS: https://bugzilla.mozilla.org/show_bug.cgi?id=563276
Comment 9•5 years ago
|
||
It is already done for XMPP:
- SCRAM-SHA-1: https://bugzilla.mozilla.org/show_bug.cgi?id=1267649
- SCRAM-SHA-256: https://bugzilla.mozilla.org/show_bug.cgi?id=1577688
SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS are missing because https://bugzilla.mozilla.org/show_bug.cgi?id=563276
Tickets:
- For IMAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1503382
- For POP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597102
- For SMTP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597103
- For LDAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597106
RFCs:
- RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802
- RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677 - since 2015-11-02
- RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
- RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
- RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
- RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804
IANA:
- Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
- Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
Comment 10•5 years ago
|
||
Cyrus SASL supports:
- SCRAM-SHA-1
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-224
- SCRAM-SHA-224-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-384
- SCRAM-SHA-384-PLUS
- SCRAM-SHA-512
- SCRAM-SHA-512-PLUS
-> https://cyrusimap.org/sasl/sasl/authentication_mechanisms.html
-> https://github.com/cyrusimap/cyrus-sasl/commits/master
Dovecot SASL supports:
GNU SASL supports:
- SCRAM-SHA-1
- SCRAM-SHA-1-PLUS
-> http://www.gnu.org/software/gsasl/
CRAM-MD5 to Historic:
- https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 // 20 November 2008
RFC6331: Moving DIGEST-MD5 to Historic
- https://tools.ietf.org/html/rfc6331 since July 2011
More informations:
Comment 11•4 years ago
|
||
After old TLS version, for TLS 1.3, there is: https://tools.ietf.org/html/draft-ietf-kitten-tls-channel-bindings-for-tls13
And there are other SCRAM too:
- SCRAM-SHA-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha-512
- SCRAM-SHA3-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
- Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa
Comment 12•3 years ago
|
||
Dovecot supports SCRAM-SHA-256 as of version 2.3.10.
Comment 13•2 years ago
|
||
Hello all,
Happy New Year 2022!
I see a good news here: https://www.linkedin.com/posts/ryanleesipes_in-2017-i-joined-the-thunderbird-team-as-ugcPost-6880457591319867392-SImO/
I think it is time to look about SCRAM hash passwords for POP/IMAP/SMTP/LDAP and Mozilla Thunderbird?
- For IMAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1503382
- For POP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597102
- For SMTP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597103
- For LDAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597106
It is already done for XMPP with SCRAM-SHA-1 and SCRAM-SHA-256:
- https://github.com/mozilla/releases-comm-central/search?q=scram-sha-1
- https://github.com/mozilla/releases-comm-central/search?q=scram-sha-256
For example, already in:
- Cyrus: https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html
- Dovecot: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
- Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html
- GNU SASL (gsasl): https://www.gnu.org/software/gsasl/
- mpop: https://marlam.de/mpop/news/
- msmtp: https://marlam.de/msmtp/news/
- NeoMutt: https://github.com/neomutt/neomutt/blob/075c5c4d77f3a8451d77098ef12f9a3d2eda6998/conn/sasl.c#L107
- DataEnter CryptoFilter - The S/MIME Gateway: https://www.dataenter.com/beta/cryptofilter.htm
- DataEnter POPBeamer - The Mail Collector: https://www.dataenter.com/beta/popbeamer.htm
- DataEnter SMTPBeamer - The Mail Server: https://www.dataenter.com/beta/smtpbeamer.htm
- DataEnter XWall - The Mail Filter: https://www.dataenter.com/beta/xwall.htm
- MailKit/MiniKit: http://www.mimekit.net/docs/html/Introduction.htm
It is specified in ESET help: https://help.eset.com/era_admin/64/en-US/index.html?smtp_server.htm
It is specified in IONOS help: https://www.ionos.fr/digitalguide/email/aspects-techniques/authentification-smtp/
You can look a big list here:
Google search:
- https://www.google.com/search?q=scram-sha-1
- https://www.google.com/search?q=scram-sha-256
- https://www.google.com/search?q=scram-sha-512
- https://www.google.com/search?q=scram-sha3-512
Thanks in advance.
Updated•2 years ago
|
Description
•