Sasl is the challenge/response algorithm for simple server
authentication (Simple Authentication and Security Layer). The SMTP
spec on authentication defines everything in terms of SASL operations
(http://www.networksorcery.com/enp/rfc/rfc2554.txt). Even PLAIN and
LOGIN are SASL operations. The Java SASL API added in 5.0 provides a
nice extendable framework for SASL operations with support for a lot
more than the simple operations.
http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
Using the SASL APIs is very nice, as would allow Geronimo to support
almost anything a server would throw at as for free, as long it was a
mechanism supported by the security provider implementation.
Anyway, I've got code for LOGIN and PLAIN already written, and am almost
done with a CRAM-MD5 version. This sounds like it will be sufficient
for the short term.
Rick
Dain Sundstrom wrote:
From my experience, most servers and clients are just using LOGIN and
PLAIN with TLS sometimes. I'm not very familiar with Sasl; can you
explain how it fits into a mail client or server?
Thanks,
-dain
On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
I've looking at the issues of doing SMTP authentication, and after
reading the SMTP spec, starting coding up a solution using the Java
Sasl API, which was doing most of the heavy lifting for me. This
morning, however, I finally noticed the critical words in the Sasl
Javadoc...."since Java 1.5". Since we're not in a position to
support Java 1.5 yet, that definitely tossed a speed bump in my path.
LOGIN and PLAIN authentication are pretty simple to do without Sasl,
and I believe I can also figure out how to do CRAM_MD5. Other forms
of authentication are probably a bit beyond my current experience
with crypto/security. How sophisticated do we need to be with
this? Are LOGIN and PLAIN sufficient (combined with TLS support)?
Note that this question also applies to the POP3 and IMAP
implementations, since they also use Sasl authentication mechanisms.
Rick
