SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) supports

[Neustradamus]

Can you add the SCRAM supports?

For example Rouncube has needed: roundcube/roundcubemail#6917

---

Cyrus SASL supports:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS

-> https://cyrusimap.org/sasl/sasl/authentication_mechanisms.html
-> https://github.com/cyrusimap/cyrus-sasl/commits/master

Dovecot SASL supports:

• SCRAM-SHA-1
• SCRAM-SHA-256

-> https://doc.dovecot.org/configuration_manual/authentication/password_schemes/

GNU SASL supports:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS

-> http://www.gnu.org/software/gsasl/

---

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

• SCRAM-SHA-1(-PLUS):
  -- https://tools.ietf.org/html/rfc5802
  -- https://tools.ietf.org/html/rfc6120

• SCRAM-SHA-256(-PLUS):
  -- https://tools.ietf.org/html/rfc7677 since 2015-11-02
  -- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

• SCRAM-SHA-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

• SCRAM-SHA3-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

• SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
  -- https://tools.ietf.org/html/draft-melnikov-scram-bis

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• State of Play scram-sasl/info#1

[jparise]

I don't have any plans to implement this myself, but I would gladly review a patch that adds this support.

[Neustradamus]

@jparise: 11 months after, have you looked?

I have added drafts "Channel Bindings for SCRAM over TLS 1.3 / SCRAM-SHA-512(-PLUS) / SCRAM-SHA3-512(-PLUS) / 2FA" and added details of Cyrus SASL / Dovecot SASL / GNU SASL.

Thanks a lot in advance.

[jparise]

As I said earlier, I'd be glad to review a Pull Request that adds support for these new algorithms.

[schengawegga]

@Neustradamus I have developed a first draft of SCRAM support, but i have to test it first before i can create a pull request. Do you have a docker container within a SMTP server wich supports any or all kinds of SCRAM?

[Neustradamus]

@schengawegga: Nice, thanks a lot for your work!

I think that @mbhangui or @maranda can help you for a test account.

cc: @nevans, @hsbt, @shugo.

[mbhangui]

indimail has docker images at https://hub.docker.com/r/cprogrammer/indimail. Some documentation is here.

The steps would be to

1. Create a domain using vadddomain
2. create an user using vadduser
3. Modify user password using vmoduser for SCRAM-SHA1, or SCRAM-SHA-256 (and the PLUS methods).

You can reach out to me privately if you need any help in setting up accounts using indimail docker.

gsasl also has a tiny smtp server in the examples directory. One can compile it and do a basic test. AFAIK, The gsasl utility too can act as a server using the --server option. But I have never tried those option. But I have used the client options to test SCRAM auth methods against indimail server.

[Neustradamus]

@schengawegga: Have you seen the @mbhangui comment?

[schengawegga]

@Neustradamus @mbhangui
Yes, i´ve seen @mbhangui comment.
Thanks you for the detailed instructions.
But my time is very short at the moment.
I will have a closer look on the docker container when i´m not so busy anymore.

[schengawegga]

@mbhangui now i tried about 4 hours to run and configure indimail to test my developement, but it won´t work on my own.
It is possible, that you can give me a fully configured indimail server within an .vbox image?
My problem at the moment is a mysql certificate error on vadduser command.

[mbhangui]

@mbhangui now i tried about 4 hours to run and configure indimail to test my developement, but it won´t work on my own. It is possible, that you can give me a fully configured indimail server within an .vbox image? My problem at the moment is a mysql certificate error on vadduser command.

Which image did you use? Sure I can give a full configured indimail server with .vbox image, but that could take me a day or two.

[mbhangui]

So I tried this and it worked. You can repeat the steps exactly as below

1. Pull the image
   $ podman pull ghcr.io/mbhangui/indimail:rockylinux8

2. List the image
   $ podman images|grep rocky
   ghcr.io/mbhangui/indimail rockylinux8 274da2d2b6d7 2 months ago 1.09 GB

3. Run docker or podman command. This will run SMTP on port 25 without authentication and on port 587 with authentication. You can use port 2587 on the host where you run podman command to use SMTP for testing SCRAM methods.

$ podman run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587 274da2d2b6d7
2e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048

4. Open a shell on the running container

$ podman exec -ti indimail bash
indimail.org:(root) / >

5. In the container, create domain using vadddomain and one user testuser01 that support SCRAM authentication using vadduser

indimail.org:(root) / > vadddomain example.com password
indimail.org:(root) / > vadduser -C -m SCRAM-SHA-256 -d [email protected] somepassword

6. On the host where you ran the podman command, test SCRAM-SHA-256 with the gsasl command. You will require to install the gsasl RPM or debian package on your host. Alternatively you can run gsasl command on the indimail container on port 587 instead of port 2587

a) without channel binding
$ gsasl -d --no-cb --hostname=argos.indimail.org --x509-ca-file="" -a [email protected] --password 'somepassword' --mechanism SCRAM-SHA-256 --smtp --connect localhost:2587

b) or you can use channel binding
$ gsasl -d --hostname=argos.indimail.org --x509-ca-file="" -a [email protected] --password 'somepassword' --mechanism SCRAM-SHA-256-PLUS --smtp --connect localhost:2587

Any issue let me know. You can replace podman with docker command. The syntax is the same for both. I prefer podman because it runs without needing a daemon running as root.

The response to the gsasl command will be like this and in the end you should get 235 ok, go ahead (#2.0.0)

Trying ‘localhost’...
220 indimail.org (NO UCE) ESMTP IndiMail 1.285 Thu, 30 Mar 2023 09:17:45 +0000
EHLO [127.0.0.1]
250-indimail.org
250-AUTH LOGIN PLAIN CRAM-MD5 CRAM-SHA1 CRAM-SHA224 CRAM-SHA256 CRAM-SHA384 CRAM-SHA512 CRAM-RIPEMD DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-256
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250-ETRN
250-STARTTLS
250 HELP
STARTTLS
220 ready for tls
TLS X.509 Verification: The certificate is NOT trusted. The certificate chain is revoked. The certificate doesn't match the local copy (TOFU). The revocation or OCSP data are old and have been superseded. The revocation or OCSP data are issued with a future date. The certificate issuer is unknown. The certificate issuer is not a CA. The certificate chain uses insecure algorithm. The certificate chain violates the signer's constraints. The certificate chain does not match the intended purpose. The certificate chain uses not yet valid certificate. The certificate chain uses expired certificate. The signature in the certificate is invalid. The name in the certificate does not match the expected. The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. The received OCSP status response is invalid. The certificate contains an unknown critical extension.
EHLO [127.0.0.1]
250-indimail.org
250-AUTH LOGIN PLAIN CRAM-MD5 CRAM-SHA1 CRAM-SHA224 CRAM-SHA256 CRAM-SHA384 CRAM-SHA512 CRAM-RIPEMD DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-256 SCRAM-SHA-1-PLUS SCRAM-SHA-256-PLUS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250-ETRN
250 HELP
AUTH SCRAM-SHA-256
334
biwsbj10ZXN0dXNlcjAxQGV4YW1wbGUuY29tLHI9TlNqa1pCSjdkSGc4NEpHcGVLRVJjYS9w
334 cj1OU2prWkJKN2RIZzg0SkdwZUtFUmNhL3AwU1M2M3c1Z2RLUkZBQm1ZeTQ1b1pyZDEscz13YitqSjBvMTB5bWJoSHdZLGk9NDA5Ng==
Yz1iaXdzLHI9TlNqa1pCSjdkSGc4NEpHcGVLRVJjYS9wMFNTNjN3NWdkS1JGQUJtWXk0NW9acmQxLHA9U1FTN1lCR0Z0cXlnM1NrZWVDQzVxbStqTGdYUzBrNVlCQ0hFY1NSREFvRT0=
334 dj1zaDlVUEJtSDZvcTVtQ2NNZWpVRStQd2hmNFhrQW53Y0F0VHBzUHorejRnPQ==

235 ok, go ahead (#2.0.0)
Client authentication finished (server trusted)...
Session finished...
QUIT
221 indimail.org closing connection

[schengawegga]

@mbhangui Thanks for your manual.
But when i do step 3, i get the following errormessage

Error: initializing source docker://registry.redhat.io/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in registry.redhat.io/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: unknown: Not Found

Maybe can you please provide a vbox image to me?
That will be very helpful.
I am not in a hurry, so it is okay if it takes some time.

[mbhangui]

Not sure why you are getting error with docker. This is cut-paste of what I tried just now with docker. I will try make a vbox image tonight

$ docker pull ghcr.io/mbhangui/indimail:rockylinux8
rockylinux8: Pulling from mbhangui/indimail
5461c86c2e54: Pull complete 
dd6dc7d0a3df: Pull complete 
8e0fd9e8bca9: Pull complete 
Digest: sha256:412400049a452f1d50f065fa2929a0998b0a64aa8aa4fe0fe6d274d67aafa24b
Status: Downloaded newer image for ghcr.io/mbhangui/indimail:rockylinux8

$ docker images|grep rockylinux8
ghcr.io/mbhangui/indimail   rockylinux8   274da2d2b6d7   2 months ago   1.07GB

$ docker run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587 274da2d2b6d7
3b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96

$ docker exec -ti indimail bash
indimail.org:(root) / >

[schengawegga]

No i´m sorry.
Either i get this error:

Trying to pull registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest...
WARN[0003] Failed, retrying in 1s ... (1/3). Error: initializing source docker://registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest: reading manifest latest in registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96: unknown: Not Found

Or this error:

Trying to pull docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest...
Error: initializing source docker://274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Although i entered the needed credentials via:

podman login docker.io

and

podman login registry.redhat.io

Maybe i do not have the needed permissions?

[mbhangui]

No i´m sorry. Either i get this error:

Trying to pull registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest...
WARN[0003] Failed, retrying in 1s ... (1/3). Error: initializing source docker://registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest: reading manifest latest in registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96: unknown: Not Found

This error is expected because redhat.io doesn't have the image. Only ghcr.io and docker.io has the images

Or this error:

Trying to pull docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest...
Error: initializing source docker://274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

This indicates that you have not signed into the docker repository or the sign-in wasn't successful.

Login to docker

docker login docker.io

Also you can add ghcr.io to /etc/containers/registries.conf. This is my registries.conf

[registries.search]
registries = ['ghcr.io', 'docker.io', 'registry.fedoraproject.org', 'registry.redhat.io', 'registry.access.redhat.com', 'registry.opensuse.org', 'quay.io']

# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ['ghcr.io', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com']

Then pull the image from the docker registory

docker pull cprogrammer/indimail:rockylinux8

[schengawegga]

Login works

docker login docker.io Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
Authenticating with existing credentials for docker.io
Existing credentials are valid. Already logged in to docker.io

Pulling works

docker pull cprogrammer/indimail:rockylinux8
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
✔ docker.io/cprogrammer/indimail:rockylinux8
Trying to pull docker.io/cprogrammer/indimail:rockylinux8...
Getting image source signatures
Copying blob 8e0fd9e8bca9 skipped: already exists
Copying blob 5461c86c2e54 skipped: already exists
Copying blob dd6dc7d0a3df skipped: already exists
Copying config 274da2d2b6 done
Writing manifest to image destination
Storing signatures
274da2d2b6d794b20146c55ba394b0e4ab14a1417ba44036a57eb1d3e83e8a78

Step 3 works not

podman run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587 274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048
✔ docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest
Trying to pull docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest...
Error: initializing source docker://274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

[mbhangui]

The error is because of error in step 3. Either you have to use docker throughout or you have to use podman throughout. As in

1. docker pull cprogrammer/indimail:rockylinux8 -- Fine

In step 3 replace podman with docker. i.e.

docker run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587

[schengawegga]

i found the problem.
I used the wrong signature hash.
Sorry, but i am not very known in docker/podman.
Now it works. Thanks for your support.
So now i can check the SCRAM-Authentication on my VM.

[mbhangui]

Install gsasl package on your local machine where you are running the container. The gsasl command was the most useful tool for me when building SCRAM authentication. Now the docker run command I gave maps port 2587 on the local machine to port 587 on the container. The gsasl command also prints the SMTP dialog on the screen.

Once you have created a user on the container, you can connect and test authentication like this. You can create two users. One with SCRAM-SHA-256 and the other with SCRAM-SHA-1.

And then for each mechanism, you have two methods (the non-plus variant where you don't do channel binding and the PLUS variant where you do channel binding).

a) without channel binding
$ gsasl -d --no-cb --hostname=argos.indimail.org --x509-ca-file="" -a [email protected] --password 'somepassword' --mechanism SCRAM-SHA-256 --smtp --connect localhost:2587

b) or you can use channel binding
$ gsasl -d --hostname=argos.indimail.org --x509-ca-file="" -a [email protected] --password 'somepassword' --mechanism SCRAM-SHA-256-PLUS --smtp --connect localhost:2587

[schengawegga]

@mbhangui Thanks for your support. The pull request for adding SCRAM support is already done. Next steps will be adding SCRAM-PLUS support. For this, the PEAR/Auth_SASL Class must support channel binding. I will try to do a pull request there. But a first question to you. Do your container indimail support channel binding?

[mbhangui]

Do your container indimail support channel binding?

Yes it does support channel binding (SCRAM-SHA1-PLUS and SCRAM-SHA256-PLUS) but not SCRAM-SHA512-PLUS

[mbhangui]

Additionally you will need to create users which support channel binding

indimail.org:(root) / > vadddomain example.com password
indimail.org:(root) / > vadduser -C -m SCRAM-SHA-1-PLUS -d [email protected] sompassword
indimail.org:(root) / > vadduser -C -m SCRAM-SHA-256-PLUS -d [email protected] somepassword

[schengawegga]

@mbhangui Thanks for the example. I will try this soon.

[schengawegga]

@mbhangui can you send me the vadduser statements for adding users with CRAM-MD5 and DIGEST-MD5 authentication methods? Then I can check several changes in pear/Net_SMTP and pear/Auth_SASL Thank you.

[Neustradamus]

@mbhangui: Have you seen the last @schengawegga comment?

[mbhangui]

@mbhangui can you send me the vadduser statements for adding users with CRAM-MD5 and DIGEST-MD5 authentication methods? Then I can check several changes in pear/Net_SMTP and pear/Auth_SASL Thank you.

Totally slipped my mind that I have to reply. Here is the command. You just have to use -C option and it will support all CRAM methods. The -C option can be used with SCRAM methods too. However, the default setting of SMTP service in indimail doesn't support CRAM because of the danger of storing clear text passwords in the database. If someone steals the database, the person will walk away happily with un-encrypted passwords. To enable CRAM in SMTP a one time setting of ENABLE_CRAM variable is required, which is given below

create a user that supports all CRAM Methods
# vadduser -C [email protected] somepassword

Enable CRAM authentication in SMTP service

# echo 1 > /service/qmail-smtpd.587/variables/ENABLE_CRAM

Restart SMTPD

# svc -r /service/qmail-smtpd.587

Test using swaks. You can use port 2587 on your host where you are running docker command. If doing the test in the container then use port 587

Test CRAM-MD5 using swaks

swaks --to [email protected] --from [email protected] --server localhost --port 587 -a CRAM-MD5 -au [email protected] -ap somepassword

Test DIGEST-MD5 using swaks
swaks --to [email protected] --from [email protected] --server localhost --port 587 -a DIGEST-MD5 -au [email protected] -ap somepassword

In fact You can use use CRAM-MD5 CRAM-SHA1 CRAM-SHA224 CRAM-SHA256 CRAM-SHA384 CRAM-SHA512 CRAM-RIPEMD DIGEST-MD5 methods if the client support those methods

There is a detailed topic on setting up authenticated smtp mechanisms in indimail here. But feel free to post any doubts/clarification here itself

[mbhangui]

@mbhangui: Have you seen the last @schengawegga comment?

Thanks for reminding me. It had totally slipped my mind as I was busy planning a vacation. I have updated the above post with few things that I had missed out

[schengawegga]

@mbhangui Do indimail support XOAuth and OAuthbearer? And how do i configure this methods? Thanks you :-)

[mbhangui]

On Tue, 9 Jan 2024 at 04:44, Armin Graefe ***@***.***> wrote: @mbhangui <https://github.com/mbhangui> Do indimail support XOAuth and OAuthbearer? And how do i configure this methods? Thanks you :-)

No. None of these two are supported ATM.