on that note, what are the authentication requirements for IMAP. I know how to authenticate with SSLv3 and TLS, in addition to plain. What are mechanisms we need to support?
bilal > Sasl is the challenge/response algorithm for simple server > authentication (Simple Authentication and Security Layer). The SMTP > spec on authentication defines everything in terms of SASL operations > (http://www.networksorcery.com/enp/rfc/rfc2554.txt). Even PLAIN and > LOGIN are SASL operations. The Java SASL API added in 5.0 provides a > nice extendable framework for SASL operations with support for a lot > more than the simple operations. > http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html. > > Using the SASL APIs is very nice, as would allow Geronimo to support > almost anything a server would throw at as for free, as long it was a > mechanism supported by the security provider implementation. > > Anyway, I've got code for LOGIN and PLAIN already written, and am almost > done with a CRAM-MD5 version. This sounds like it will be sufficient > for the short term. > > Rick > > Dain Sundstrom wrote: > >> From my experience, most servers and clients are just using LOGIN and >> PLAIN with TLS sometimes. I'm not very familiar with Sasl; can you >> explain how it fits into a mail client or server? >> >> Thanks, >> >> -dain >> >> On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote: >> >>> I've looking at the issues of doing SMTP authentication, and after >>> reading the SMTP spec, starting coding up a solution using the Java >>> Sasl API, which was doing most of the heavy lifting for me. This >>> morning, however, I finally noticed the critical words in the Sasl >>> Javadoc...."since Java 1.5". Since we're not in a position to >>> support Java 1.5 yet, that definitely tossed a speed bump in my path. >>> LOGIN and PLAIN authentication are pretty simple to do without Sasl, >>> and I believe I can also figure out how to do CRAM_MD5. Other forms >>> of authentication are probably a bit beyond my current experience >>> with crypto/security. How sophisticated do we need to be with >>> this? Are LOGIN and PLAIN sufficient (combined with TLS support)? >>> Note that this question also applies to the POP3 and IMAP >>> implementations, since they also use Sasl authentication mechanisms. >>> >>> Rick >> >> >> > -- bilal ----- "We act as though comfort and luxury were the chief requirements of life, when all that we need to make us happy is something to be enthusiastic about." - Einstein
