SCRAM SMTP authentication support
Categories
(MailNews Core :: Networking: SMTP, enhancement)
Tracking
(Not tracked)
People
(Reporter: Neustradamus, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Steps to reproduce:
Can you add SCRAM support for SMTP?
|
Reporter | |
Comment 1•6 years ago
|
||
It is already done for XMPP:
- SCRAM-SHA-1: https://bugzilla.mozilla.org/show_bug.cgi?id=1267649
- SCRAM-SHA-256: https://bugzilla.mozilla.org/show_bug.cgi?id=1577688
SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS are missing because https://bugzilla.mozilla.org/show_bug.cgi?id=563276
Tickets:
- For IMAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1503382
- For POP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597102
- For SMTP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597103
- For LDAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597106
RFCs:
- RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802
- RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677 - since 2015-11-02
- RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
- RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
- RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
- RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804
IANA:
- Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
- Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
|
|
Reporter | |
Comment 2•6 years ago
|
||
Cyrus SASL supports:
- SCRAM-SHA-1
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-224
- SCRAM-SHA-224-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-384
- SCRAM-SHA-384-PLUS
- SCRAM-SHA-512
- SCRAM-SHA-512-PLUS
-> https://cyrusimap.org/sasl/sasl/authentication_mechanisms.html
-> https://github.com/cyrusimap/cyrus-sasl/commits/master
Dovecot SASL supports:
GNU SASL supports:
- SCRAM-SHA-1
- SCRAM-SHA-1-PLUS
-> http://www.gnu.org/software/gsasl/
CRAM-MD5 to Historic:
- https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 // 20 November 2008
RFC6331: Moving DIGEST-MD5 to Historic
- https://tools.ietf.org/html/rfc6331 since July 2011
More informations:
|
||
Updated•6 years ago
|
|
|
Reporter | |
Comment 3•5 years ago
|
||
After old TLS version, for TLS 1.3, there is: https://tools.ietf.org/html/draft-ietf-kitten-tls-channel-bindings-for-tls13
And there are other SCRAM too:
- SCRAM-SHA-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha-512
- SCRAM-SHA3-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
- Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa
|
||
Comment 5•4 years ago
|
||
No, maybe later. My impression is it's not commonly used.
|
|
Reporter | |
Comment 6•4 years ago
|
||
Hello all,
Happy New Year 2022!
I see a good news here: https://www.linkedin.com/posts/ryanleesipes_in-2017-i-joined-the-thunderbird-team-as-ugcPost-6880457591319867392-SImO/
I think it is time to look about SCRAM hash passwords for POP/IMAP/SMTP/LDAP and Mozilla Thunderbird?
- For IMAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1503382
- For POP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597102
- For SMTP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597103
- For LDAP: https://bugzilla.mozilla.org/show_bug.cgi?id=1597106
It is already done for XMPP with SCRAM-SHA-1 and SCRAM-SHA-256:
- https://github.com/mozilla/releases-comm-central/search?q=scram-sha-1
- https://github.com/mozilla/releases-comm-central/search?q=scram-sha-256
For example, already in:
- Cyrus: https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html
- Dovecot: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
- Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html
- GNU SASL (gsasl): https://www.gnu.org/software/gsasl/
- mpop: https://marlam.de/mpop/news/
- msmtp: https://marlam.de/msmtp/news/
- NeoMutt: https://github.com/neomutt/neomutt/blob/075c5c4d77f3a8451d77098ef12f9a3d2eda6998/conn/sasl.c#L107
- DataEnter CryptoFilter - The S/MIME Gateway: https://www.dataenter.com/beta/cryptofilter.htm
- DataEnter POPBeamer - The Mail Collector: https://www.dataenter.com/beta/popbeamer.htm
- DataEnter SMTPBeamer - The Mail Server: https://www.dataenter.com/beta/smtpbeamer.htm
- DataEnter XWall - The Mail Filter: https://www.dataenter.com/beta/xwall.htm
- MailKit/MiniKit: http://www.mimekit.net/docs/html/Introduction.htm
It is specified in ESET help: https://help.eset.com/era_admin/64/en-US/index.html?smtp_server.htm
It is specified in IONOS help: https://www.ionos.fr/digitalguide/email/aspects-techniques/authentification-smtp/
You can look a big list here:
Google search:
- https://www.google.com/search?q=scram-sha-1
- https://www.google.com/search?q=scram-sha-256
- https://www.google.com/search?q=scram-sha-512
- https://www.google.com/search?q=scram-sha3-512
Thanks in advance.
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 7•6 months ago
|
||
Dear Mozilla Team,
Good news, the recent Dovecot 2.4.0 has SCRAM-SHA-1-PLUS/SCRAM-SHA-256-PLUS supports in more SCRAM-SHA-1/SCRAM-SHA-256. It arrives after Exim, indimail-mta, msmtp, mpop, ...
It is possible to add in Mozilla Thunderbird / Thunderbird Mobile / K-9 Mail included of course.
Several years ago, SCRAM-SHA-1 and SCRAM-SHA-256 have been added for XMPP but not for POP3/IMAP/SMTP/LDAP.
All list is here:
Thanks in advance.
Description
•