add SCRAM support in indimail-mta

indimail / indimail-mta

qmail fork with IPV6, TLS, DANE, DKIM, SRS2, SPF, daemontools, qmailanalog, mess822, & ucspi-tcp

https://github.com/indimail/indimail-mta/wiki/0-IndiMail-Wiki

GNU General Public License v3.0

12 stars 3 forks source link

add SCRAM support in indimail-mta #32

Closed mbhangui closed 2 years ago

mbhangui commented 2 years ago

Add feature as per #30 Add support for the following AUTH methods

SCRAM-SHA-1
SCRAM-SHA-256
SCRAM-SHA-512

The biggest issue is understanding the RFCs as they are quite dense with sparse comments. The best explantion for SCRAM comes from this stackoverflow post https://stackoverflow.com/questions/29298346/xmpp-sasl-scram-sha1-authentication

Will be using the above document to add the support. However, I still haven't been able to understand the PLUS methods.

SCRAM-SHA-1-PLUS SCRAM-SHA-256-PLUS SCRAM-SHA-512-PLUS

The support for the above will not be attempted unless I get a good document on how to achieve the above.

mbhangui commented 2 years ago

@neustradamus FYI

Neustradamus commented 2 years ago

@mbhangui: Thanks a lot for your improvements! :)

You can see for -PLUS variants (with TLS Binding) too for more security.

cc: @jas4711.

Neustradamus commented 2 years ago

@mbhangui: Attention: SCRAM-SHA-512 and SCRAM-SHA-512-PLUS are not yet supported by gsasl.

mbhangui commented 2 years ago

I still have to do some changes. One is modify the action scripts to pull the GNU SASL library. Other is to call gsasl_init() during smtp initialization rather than callling it every time someone does a AUTH SCRAM-SHA-???

mbhangui commented 2 years ago

@mbhangui: Attention: SCRAM-SHA-512 and SCRAM-SHA-512-PLUS are not yet supported by gsasl.

Yes. I noticed that. Cyrus SASL supports but I found the docs lacking and hence sticking with gnu sasl.

Neustradamus commented 2 years ago

About Cyrus SASL, you can request help here:

https://github.com/cyrusimap/cyrus-sasl/issues?q=is%3Aissue+is%3Aopen+scram+sort%3Aupdated-desc

mbhangui commented 2 years ago

As it turns out, libgsasl-devel isn't available for the following platforms on openSUSE Build Service. Indimail-mta binaries published on OBS will not have SCRAM-SHA-1, SCRAM-SHA-256 auth methods on the following platforms

CentOS
RHEL
SLES
Scientific Linux

They will be avaialable for the following platforms

Fedora Core
Debian
Ubuntu
Arch Linux
Univention
openSUSE Leap
openSUSE Tumbleweed

jas4711 commented 2 years ago

Thanks for adding code for this!

As it turns out, libgsasl-devel isn't available for the following platforms on openSUSE Build Service. Indimail-mta binaries published on OBS will not have SCRAM-SHA-1, SCRAM-SHA-256 auth methods on the following platforms
1. CentOS

2. RHEL

3. SLES

4. Scientific Linux

According to https://pkgs.org/search/?q=libgsasl-devel it is available via EPEL, maybe it is just a matter of doing the following:

dnf -y install epel-release libgsasl-devel

/Simon

mbhangui commented 2 years ago

According to https://pkgs.org/search/?q=libgsasl-devel it is available via EPEL, maybe it is just a matter of doing the following:
dnf -y install epel-release libgsasl-devel

The opensuse build services run a virtual machine with read-only filesystem for / and /usr. So one cannot install any new repository. But I have left a message for the OBS team to look at adding libgsasl-devel as part of the default list of packages that get installed for all distributions. The team is usually responsive. If they don't, I can always dlopen libgsasl and provide SCRAM-SHA-1 and SCRAM-SHA-256

And last but not the least, thank you @jas4711 for the SCRAM code in gsasl. Reading the RFCs drove me nuts and cyrus sasl too wasn't that easy. The examples directory was the greatest help and the documentation too is quite good.

Neustradamus commented 2 years ago

@mbhangui: Thanks for your good job! :)

We can thank @jas4711 who has worked on the support of the new security RFC in GNU SASL:

RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

Little details, to know easily:

tls-unique for TLS =< 1.2
tls-exporter for TLS = 1.3

Can you look? Maybe you can try before the Simon PR merging to add support in indimail?

Thanks in advance.

Neustradamus commented 2 years ago

@mbhangui: Good news! @jas4711 has released a gsasl 2.1.0 beta version with RFC9266 support:

PS: Exim has -PLUS support and uses gsasl too:

https://bugs.exim.org/show_bug.cgi?id=2349

mbhangui commented 2 years ago

@Neustradamus Support for both SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS has been added with pull request #33. I'm currently using gsasl-2.0.1.8-90f5 for tls-exporter channel binding. I have tested tls-exporter using TLSv_1.3 and tls-unique using TLSv_1.2. Till now I have found absolutely zero issues in using gsasl. I have added code for SCRAM-SHA-512 and SCRAM-SHA-512-PLUS which I will enable the day support for the same is added in gsasl.

Currently I'm adding few #ifdefs which disables the channel binding code for older versions for gsasl which do not support tls-unique and tls-exporter.