aiosmtpd
aiosmtpd copied to clipboard
aio-libs
SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports
Dear @aio-libs team,
In first, I wish you a Happy New Year!
Can you add supports of :
- SCRAM-SHA-1
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-512
- SCRAM-SHA-512-PLUS
- SCRAM-SHA3-512
- SCRAM-SHA3-512-PLUS
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
-
SCRAM-SHA-1(-PLUS): -- https://tools.ietf.org/html/rfc5802 -- https://tools.ietf.org/html/rfc6120
-
SCRAM-SHA-256(-PLUS): -- https://tools.ietf.org/html/rfc7677 since 2015-11-02 -- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
-
SCRAM-SHA-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
-
SCRAM-SHA3-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
https://xmpp.org/extensions/inbox/hash-recommendations.html
-PLUS variants:
- RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
- RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
- Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
- RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266
IMAP:
- RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051
LDAP:
- RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
HTTP:
- RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804
2FA:
- Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa
IANA:
- Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
Linked to:
- https://github.com/scram-xmpp/info/issues/1
I'm not 100% certain if it makes sense to add this functionality to aiosmtpd, or if it should be implemented in a layer that uses aiosmtpd as a library.
@waynew: Thanks for your quickly reply!
How old unsecure are supported?
- CRAM-MD5
- DIGEST-MD5
@Neustradamus I'm not sure I understand what you're asking. Are you asking how to support them?
@waynew: Already this: https://github.com/aio-libs/aiosmtpd/search?q=md5 ^^
If you click on that link and take a look at the test, it's explicitly checking to make sure that those auth methods are not supported.
If you wanted to support those methods then you would have to follow the docs and roll your own.
I do not want to use old and unsecure protocols but show you that SCRAM must be compatible with :)
show you that SCRAM must be compatible with
Something is getting lost in translation :disappointed:
I do not understand what you mean.
Hi @Neustradamus , we only provide 2 built-in auth mechanisms: auth_PLAIN and auth_LOGIN.
Other authentication mechanisms are left to the user to implement.
This is documented in the Authentication System section of the documentation.
@pepoluan: It is needed:
- RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051
@pepoluan: It is needed:
* RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051
That is the RFC for IMAP server, not for SMTP server.
aiosmtpd does not handle IMAP.
@pepoluan: You can see here:
- https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism