Support strong authentication

[temuccio]

Feature Request

Include support strong authentication alternative to PLAIN and LOGIN such us:

• [x] CRAM-MD5
• [ ] GSSAPI
• [x] DIGEST-MD5
• [ ] MD5
• [ ] OAUTH10A
• [x] XOAUTH2 https://github.com/nextcloud/mail/pull/6819
  • [x] https://github.com/nextcloud/mail/issues/6454
  • [x] https://github.com/nextcloud/mail/issues/6591
  • [ ] On-premise servers
• [ ] OAUTHEBEARER
• [x] SCRAM-SHA-1 https://github.com/nextcloud/mail/pull/4377
• [ ] SCRAM-SHA-1-PLUS
• [ ] SCRAM-SHA-256
• [ ] SCRAM-SHA-256-PLUS
• [ ] SCRAM-SHA-512
• [ ] SCRAM-SHA-512-PLUS
• [x] CRAM-SHA1
• [x] CRAM-SHA256
• [ ] NTLM

Summary

In my case I have try to connect mail with my server that support CRAM-MD5 and DIGEST-MD5 without positive response. It is interesting to include this support such as most important clients of mail for extend the usage. I'm happy to collaborate to implement this Feature. Have nice day.

References

• Dovecot password schemes https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
• Mail server auth matrix https://en.wikipedia.org/wiki/Comparison_of_mail_servers#Authentication

[ChristophWurst]

Adding this to the end of our roadmap

[ChristophWurst]

I'm happy to collaborate to implement this Feature.

Sounds good :) I assume the Horde libs can already handle this. So we should only need a new structure for the authentication method (new attribute inthe accounts table?) and a switch in the user interface.

[temuccio]

Hi @ChristophWurst, sorry for my delay. I have check Horde libs and it support this authentication. For your interested, I have check that in: vendor/pear-pear.horde.org/Horde_imap_Client/Horde/Imap/Client/Socket/Pop3.php and vendor/pear-pear.horde.org/Horde_Smtp/Horde/Smtp.php is implemented the strong authentication. As you annunced, it is necessary to add a "select" for decide what is the method of authetication. How you pass the parameter to Hord?

[ChristophWurst]

new attribute inthe accounts table

basically that. and then just read it through a getter on the account class in the IMAP client factory.

[kesselb]

Hello :wave:, looked into this issue today.

CRAM-MD5 / DIGEST-MD5: Is already supported. If the connection to the imap server is unencrypted and CRAM-MD5 or DIGEST-MD5 are supported.

XOAUTH2: Would be nice for Gmail users. Code to use XOAUTH2 for authentication to IMAP and SMTP is there but the process to obtain an access token via OAUTH needs to be done. I guess that's somehow similar to https://github.com/nextcloud/integration_google. Additional information: https://developers.google.com/gmail/imap/xoauth2-protocol / https://developers.google.com/identity/protocols/oauth2.

OAUTHEBEARER: Similar to XOAUTH2 but not supported yet by Horde.

SCRAM-SHA-1: https://github.com/nextcloud/mail/pull/4377

GSSAPI: Roundcube seems to support it: https://github.com/roundcube/roundcubemail/blob/65c9d08e0146692ead7107d839fa06e52ed1216e/program/lib/Roundcube/rcube_imap_generic.php#L650-L723. Some extension for PHP is required.

[CL-Jeremy]

CRAM-MD5 / DIGEST-MD5: Is already supported. If the connection to the imap server is unencrypted and CRAM-MD5 or DIGEST-MD5 are supported.

I think these two are actually interesting for SMTP.

[ChristophWurst]

Horde will use the automatically if appropriate.

[CL-Jeremy]

My apologies. I didn't read the error message properly. I added a mailbox named "Sent" and it worked. Looking forward to porting this support to the built-in mailer (saw someone requesting it)

[ChristophWurst]

XOAUTH2: Would be nice for Gmail users. Code to use XOAUTH2 for authentication to IMAP and SMTP is there but the process to obtain an access token via OAUTH needs to be done. I guess that's somehow similar to https://github.com/nextcloud/integration_google. Additional information: https://developers.google.com/gmail/imap/xoauth2-protocol / https://developers.google.com/identity/protocols/oauth2.

https://github.com/nextcloud/mail/pull/6819

[Neustradamus]

In more SCRAM-SHA-1, I request SCRAM-SHA-1-PLUS, SCRAM-SHA-256, SCRAM-SHA-256-PLUS, SCRAM-SHA-512, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512, SCRAM-SHA3-512-PLUS.

Note: CRAM-MD5 and DIGEST-MD5 are unsecure.

---

Please read all:

20 November 2008: CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00

29 June 2017: CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:

• https://tools.ietf.org/html/rfc6331

August 2021: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: "Replaced DIGEST-MD5 SASL mechanism with SCRAM-SHA-256. DIGEST-MD5 was deprecated."

• https://tools.ietf.org/html/rfc9051

I add same about SCRAM-MD5.

There are now:

• July 2010: RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM): SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 (SCRAM-SHA-1 and SCRAM-SHA-1-PLUS)
• July 2010: RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
• November 2015: RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677

Soon:

• SCRAM-BIS: https://tools.ietf.org/html/draft-melnikov-scram-bis
• SCRAM-SHA-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha-512
• SCRAM-SHA3-512(-PLUS): https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

[ChristophWurst]

Thanks a lot for the links @Neustradamus. I've updated the list at https://github.com/nextcloud/mail/issues/3146#issue-623075405 to reflect the current state.

[dm-msk]

Hello. I need GSSAPI support. When are you planning to add this feature?

[ChristophWurst]

Hello. I need GSSAPI support. When are you planning to add this feature?

There are no plans right now. https://nextcloud.com/contribute/ or https://nextcloud.com/enterprise/ could be two options to get this feature earlier.