[resending ...] Philip,
Briefly, if you are willing to add SCRAM and need a IMAP server to test against, let me know. Also see inline. In message <[email protected]> Philip Whitehouse writes: > > Adding a new authentication method that obeys a spec is not actually > that complex in terms of the amount of code I think. Certainly the > code the the existing authentication methods is quite small in > comparison. > > The real issue is trying to test against an actual mail server to > verify the functionality. Producing the expected message in response > to the challenge in the spec is one thing but verifying it really > works is another. Cyrus imapd (which uses cyrus sasl2) supports SCRAM-SHA1 (RFC 5802). If you like I can set up a mail server with a domain that is configured to support only SCRAM auth (or SCRAM plus CRAM-MD5 if you want to verify with CRAM-MD5 first). The only catch is the MDA (imap server) would have only an IPv6 address - a bit short on IPv4s. Or you could just have an account on an existing domain. (MDAs are all on IPv6 though). > There is an outstanding issue for supporting XOAuth which is likely to > happen because it's used by Gmail so a developer can just create a > Gmail account to test against. XOAuth is actually a bit more complex > too because it's a token not the password so there's probably some UX > work in getting that token. XOAUTH is also not well defined and suffers from interoperability problems. That is why IANA has it marked obsolete. Last I checked (just now, emperically) gmail also supports OAUTHBEARER which is best used within TLS. The list is XOAUTH2 PLAIN PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH. It would be nice if google added OAUTH10A (and SCRAM). > Basically, yes, I'm sure a PR would be accepted but without a server > to test against its more difficult. If you know one that supports it > and has free sign up then that makes it more likely to happen. I can probably build one in under an hour (its a new BSD jail which I have config templates for, so just need to populate DNS and set it up - - a one liner on the MTA is also needed - plus a few details to allow you to use port 587 if you want that too). If this would help, let me know. I'll create a subdomain and give you the one and only email address in the subdomain. > The RFCs mention GSS-API - that's probably more complex still. And not often used for email AFAIK. Maybe some universities that have been using kerberos (and maybe AFS) for ages. Good stuff. > I might see with my mail provider what settings I can auth my IMAP > account by. > > Anyone know what other mail clients support here (I guess Thunderbird > supports everything - Gmail and iOS?) Thunderbird does not support everything. Not even close. I does now support OAUTH2 but it doesn't work if you've removed trust in CA certs (it pops up an exception window indicating it didn't like a cert but then clicking on anything but cancel does nothing). Given the otherwise sparse support on google's side it means enabling "insecure access" on the gmail account and fallback to PLAIN. No problem for me because I don't use gmail for anything important. A bit annoying. Note that if you remove support for *all* CAs and then add exceptions for you IMAP server's certs it is harder for MITM to spoof using a rouge CA (or a government controlled CA). Of course disabling ciphers that don't support forward secrecy (which has to be done on the client side and can be hard to do on the client side, short of recompiling the app or OS crypto support) and using a mechanism supporting mutual auth also help foil a MITM. [OT] It you be nice if email clients supported DANE but that might be asking too much given that browsers haven't even got there without third party plugins. Curtis > On 27 March 2016 21:37:02 BST, Curtis Villamizar <[email protected]> wrote: > >Any chance SCRAM (Salted Challenge Response Authentication Mechanism - > >RFC > >7677, RFC 5802) could be supported in the near future? > > > >This is the simplest non-obsolete SASL method that supports mutual > >authentication and is a big improvement over CRAM-MD5. > >See > >http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml > > > >The supported authentications (PLAIN and CRAM-MD5) are very weak and > >provide only one way authentication. > >Even SCRAM-SHA1 is a big improvement over CRAM-MD5. > > > >Curtis > > > > > > > >-- > >-- > >You received this message because you are subscribed to the K-9 Mail > >Users List. > >To post to this group, send email to [email protected] > >To unsubscribe, email [email protected] > >To report an issue with K-9 Mail, visit > >http://code.google.com/p/k9mail/issues/list > >For more options, visit this group at > >http://groups.google.com/group/k-9-mail > > > >--- > >You received this message because you are subscribed to the Google > >Groups "K-9 Mail" group. > >To unsubscribe from this group and stop receiving emails from it, send > >an email to [email protected]. > >For more options, visit https://groups.google.com/d/optout. > > Best regards > > Philip Whitehouse My java skills are lacking and I'm not set up to compile and install android apps or I'd offer to help with the coding. Thanks for the reply and thanks for your contributions to K-9 even if you decide not to take on SCRAM. We all have limited time for this stuff. Curtis -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to [email protected] To unsubscribe, email [email protected] To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
