The best comparison char I could find on this is http://
members.elysium.pl/brush/smtp-auth/server.html and it from 23.10.2000
so about 5 years old. Anyway, it looks like if we can get LOGIN,
PLAIN, CRAM-MD5 and DIGEST-MD5 working with start tls, we will have
the basics covered.
-dain
On Dec 7, 2005, at 9:45 AM, Rick McGuire wrote:
Sasl is the challenge/response algorithm for simple server
authentication (Simple Authentication and Security Layer). The
SMTP spec on authentication defines everything in terms of SASL
operations (http://www.networksorcery.com/enp/rfc/rfc2554.txt).
Even PLAIN and LOGIN are SASL operations. The Java SASL API added
in 5.0 provides a nice extendable framework for SASL operations
with support for a lot more than the simple operations. http://
java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html.
Using the SASL APIs is very nice, as would allow Geronimo to
support almost anything a server would throw at as for free, as
long it was a mechanism supported by the security provider
implementation.
Anyway, I've got code for LOGIN and PLAIN already written, and am
almost done with a CRAM-MD5 version. This sounds like it will be
sufficient for the short term.
Rick
Dain Sundstrom wrote:
From my experience, most servers and clients are just using LOGIN
and PLAIN with TLS sometimes. I'm not very familiar with Sasl;
can you explain how it fits into a mail client or server?
Thanks,
-dain
On Dec 7, 2005, at 8:37 AM, Rick McGuire wrote:
I've looking at the issues of doing SMTP authentication, and
after reading the SMTP spec, starting coding up a solution using
the Java Sasl API, which was doing most of the heavy lifting for
me. This morning, however, I finally noticed the critical words
in the Sasl Javadoc...."since Java 1.5". Since we're not in a
position to support Java 1.5 yet, that definitely tossed a speed
bump in my path.
LOGIN and PLAIN authentication are pretty simple to do without
Sasl, and I believe I can also figure out how to do CRAM_MD5.
Other forms of authentication are probably a bit beyond my
current experience with crypto/security. How sophisticated do
we need to be with this? Are LOGIN and PLAIN sufficient
(combined with TLS support)? Note that this question also
applies to the POP3 and IMAP implementations, since they also
use Sasl authentication mechanisms.
Rick
