search

pear / Net_SMTP

PHP SMTP Implementation
https://pear.php.net/package/net_smtp
BSD 2-Clause "Simplified" License
26 stars 38 forks source link

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) supports #57

Open Neustradamus opened 5 years ago

Neustradamus commented 5 years ago

Can you add the SCRAM supports?

For example Rouncube has needed: https://github.com/roundcube/roundcubemail/issues/6917

Cyrus SASL supports:

-> https://cyrusimap.org/sasl/sasl/authentication_mechanisms.html -> https://github.com/cyrusimap/cyrus-sasl/commits/master

Dovecot SASL supports:

-> https://doc.dovecot.org/configuration_manual/authentication/password_schemes/

GNU SASL supports:

-> http://www.gnu.org/software/gsasl/

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

IMAP:

LDAP:

HTTP:

2FA:

IANA:

Linked to:

jparise commented 4 years ago

I don't have any plans to implement this myself, but I would gladly review a patch that adds this support.

Neustradamus commented 4 years ago

@jparise: 11 months after, have you looked?

I have added drafts "Channel Bindings for SCRAM over TLS 1.3 / SCRAM-SHA-512(-PLUS) / SCRAM-SHA3-512(-PLUS) / 2FA" and added details of Cyrus SASL / Dovecot SASL / GNU SASL.

Thanks a lot in advance.

jparise commented 3 years ago

As I said earlier, I'd be glad to review a Pull Request that adds support for these new algorithms.

schengawegga commented 2 years ago

@Neustradamus I have developed a first draft of SCRAM support, but i have to test it first before i can create a pull request. Do you have a docker container within a SMTP server wich supports any or all kinds of SCRAM?

Neustradamus commented 2 years ago

@schengawegga: Nice, thanks a lot for your work!

I think that @mbhangui or @maranda can help you for a test account.

cc: @nevans, @hsbt, @shugo.

mbhangui commented 2 years ago

indimail has docker images at https://hub.docker.com/r/cprogrammer/indimail. Some documentation is here.

The steps would be to

  1. Create a domain using vadddomain
  2. create an user using vadduser
  3. Modify user password using vmoduser for SCRAM-SHA1, or SCRAM-SHA-256 (and the PLUS methods).

You can reach out to me privately if you need any help in setting up accounts using indimail docker.

gsasl also has a tiny smtp server in the examples directory. One can compile it and do a basic test. AFAIK, The gsasl utility too can act as a server using the --server option. But I have never tried those option. But I have used the client options to test SCRAM auth methods against indimail server.

Neustradamus commented 2 years ago

@schengawegga: Have you seen the @mbhangui comment?

schengawegga commented 2 years ago

@Neustradamus @mbhangui Yes, i´ve seen @mbhangui comment. Thanks you for the detailed instructions. But my time is very short at the moment. I will have a closer look on the docker container when i´m not so busy anymore.

schengawegga commented 1 year ago

@mbhangui now i tried about 4 hours to run and configure indimail to test my developement, but it won´t work on my own. It is possible, that you can give me a fully configured indimail server within an .vbox image? My problem at the moment is a mysql certificate error on vadduser command.

mbhangui commented 1 year ago

@mbhangui now i tried about 4 hours to run and configure indimail to test my developement, but it won´t work on my own. It is possible, that you can give me a fully configured indimail server within an .vbox image? My problem at the moment is a mysql certificate error on vadduser command.

Which image did you use? Sure I can give a full configured indimail server with .vbox image, but that could take me a day or two.

mbhangui commented 1 year ago

So I tried this and it worked. You can repeat the steps exactly as below

  1. Pull the image $ podman pull ghcr.io/mbhangui/indimail:rockylinux8

  2. List the image $ podman images|grep rocky ghcr.io/mbhangui/indimail rockylinux8 274da2d2b6d7 2 months ago 1.09 GB

  3. Run docker or podman command. This will run SMTP on port 25 without authentication and on port 587 with authentication. You can use port 2587 on the host where you run podman command to use SMTP for testing SCRAM methods.

    $ podman run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587 274da2d2b6d7
2e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048

  4. Open a shell on the running container

    $ podman exec -ti indimail bash
indimail.org:(root) / >

  5. In the container, create domain using vadddomain and one user testuser01 that support SCRAM authentication using vadduser

    indimail.org:(root) / > vadddomain example.com password
indimail.org:(root) / > vadduser -C -m SCRAM-SHA-256 -d testuser01@example.com somepassword

  6. On the host where you ran the podman command, test SCRAM-SHA-256 with the gsasl command. You will require to install the gsasl RPM or debian package on your host. Alternatively you can run gsasl command on the indimail container on port 587 instead of port 2587

    
a) without channel binding
$ gsasl -d --no-cb --hostname=argos.indimail.org --x509-ca-file="" -a testuser01@example.com --password 'somepassword' --mechanism SCRAM-SHA-256 --smtp --connect localhost:2587

b) or you can use channel binding $ gsasl -d --hostname=argos.indimail.org --x509-ca-file="" -a testuser01@example.com --password 'somepassword' --mechanism SCRAM-SHA-256-PLUS --smtp --connect localhost:2587

Any issue let me know. You can replace podman with docker command. The syntax is the same for both. I prefer podman because it runs without needing a daemon running as root.

The response to the gsasl command will be like this and in the end you should get `235 ok, go ahead (#2.0.0)`

Trying ‘localhost’... 220 indimail.org (NO UCE) ESMTP IndiMail 1.285 Thu, 30 Mar 2023 09:17:45 +0000 EHLO [127.0.0.1] 250-indimail.org 250-AUTH LOGIN PLAIN CRAM-MD5 CRAM-SHA1 CRAM-SHA224 CRAM-SHA256 CRAM-SHA384 CRAM-SHA512 CRAM-RIPEMD DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-256 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250-ETRN 250-STARTTLS 250 HELP STARTTLS 220 ready for tls TLS X.509 Verification: The certificate is NOT trusted. The certificate chain is revoked. The certificate doesn't match the local copy (TOFU). The revocation or OCSP data are old and have been superseded. The revocation or OCSP data are issued with a future date. The certificate issuer is unknown. The certificate issuer is not a CA. The certificate chain uses insecure algorithm. The certificate chain violates the signer's constraints. The certificate chain does not match the intended purpose. The certificate chain uses not yet valid certificate. The certificate chain uses expired certificate. The signature in the certificate is invalid. The name in the certificate does not match the expected. The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. The received OCSP status response is invalid. The certificate contains an unknown critical extension. EHLO [127.0.0.1] 250-indimail.org 250-AUTH LOGIN PLAIN CRAM-MD5 CRAM-SHA1 CRAM-SHA224 CRAM-SHA256 CRAM-SHA384 CRAM-SHA512 CRAM-RIPEMD DIGEST-MD5 SCRAM-SHA-1 SCRAM-SHA-256 SCRAM-SHA-1-PLUS SCRAM-SHA-256-PLUS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250-ETRN 250 HELP AUTH SCRAM-SHA-256 334 biwsbj10ZXN0dXNlcjAxQGV4YW1wbGUuY29tLHI9TlNqa1pCSjdkSGc4NEpHcGVLRVJjYS9w 334 cj1OU2prWkJKN2RIZzg0SkdwZUtFUmNhL3AwU1M2M3c1Z2RLUkZBQm1ZeTQ1b1pyZDEscz13YitqSjBvMTB5bWJoSHdZLGk9NDA5Ng== Yz1iaXdzLHI9TlNqa1pCSjdkSGc4NEpHcGVLRVJjYS9wMFNTNjN3NWdkS1JGQUJtWXk0NW9acmQxLHA9U1FTN1lCR0Z0cXlnM1NrZWVDQzVxbStqTGdYUzBrNVlCQ0hFY1NSREFvRT0= 334 dj1zaDlVUEJtSDZvcTVtQ2NNZWpVRStQd2hmNFhrQW53Y0F0VHBzUHorejRnPQ==

235 ok, go ahead (#2.0.0) Client authentication finished (server trusted)... Session finished... QUIT 221 indimail.org closing connection

schengawegga commented 1 year ago

@mbhangui Thanks for your manual. But when i do step 3, i get the following errormessage

Error: initializing source docker://registry.redhat.io/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in registry.redhat.io/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: unknown: Not Found

Maybe can you please provide a vbox image to me? That will be very helpful. I am not in a hurry, so it is okay if it takes some time.

mbhangui commented 1 year ago

Not sure why you are getting error with docker. This is cut-paste of what I tried just now with docker. I will try make a vbox image tonight

$ docker pull ghcr.io/mbhangui/indimail:rockylinux8
rockylinux8: Pulling from mbhangui/indimail
5461c86c2e54: Pull complete 
dd6dc7d0a3df: Pull complete 
8e0fd9e8bca9: Pull complete 
Digest: sha256:412400049a452f1d50f065fa2929a0998b0a64aa8aa4fe0fe6d274d67aafa24b
Status: Downloaded newer image for ghcr.io/mbhangui/indimail:rockylinux8

$ docker images|grep rockylinux8
ghcr.io/mbhangui/indimail   rockylinux8   274da2d2b6d7   2 months ago   1.07GB

$ docker run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587 274da2d2b6d7
3b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96

$ docker exec -ti indimail bash
indimail.org:(root) / >
schengawegga commented 1 year ago

No i´m sorry. Either i get this error:

Trying to pull registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest... WARN[0003] Failed, retrying in 1s ... (1/3). Error: initializing source docker://registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest: reading manifest latest in registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96: unknown: Not Found

Or this error:

Trying to pull docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest... Error: initializing source docker://274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: errors: denied: requested access to the resource is denied unauthorized: authentication required

Although i entered the needed credentials via:

podman login docker.io

and

podman login registry.redhat.io

Maybe i do not have the needed permissions?

mbhangui commented 1 year ago

No i´m sorry. Either i get this error:

Trying to pull registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest... WARN[0003] Failed, retrying in 1s ... (1/3). Error: initializing source docker://registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96:latest: reading manifest latest in registry.redhat.io/274da2d2b6d73b88313aaad6d3bfeafe18fa4bce98a45e4e40b31b7691059495381cdace5a96: unknown: Not Found

This error is expected because redhat.io doesn't have the image. Only ghcr.io and docker.io has the images

Or this error:

Trying to pull docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest... Error: initializing source docker://274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: errors: denied: requested access to the resource is denied unauthorized: authentication required

This indicates that you have not signed into the docker repository or the sign-in wasn't successful.

Login to docker

docker login docker.io

Also you can add ghcr.io to /etc/containers/registries.conf. This is my registries.conf

[registries.search]
registries = ['ghcr.io', 'docker.io', 'registry.fedoraproject.org', 'registry.redhat.io', 'registry.access.redhat.com', 'registry.opensuse.org', 'quay.io']

# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ['ghcr.io', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com']

Then pull the image from the docker registory

docker pull cprogrammer/indimail:rockylinux8
schengawegga commented 1 year ago

Login works

docker login docker.io Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg. Authenticating with existing credentials for docker.io Existing credentials are valid. Already logged in to docker.io

Pulling works

docker pull cprogrammer/indimail:rockylinux8 Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg. ✔ docker.io/cprogrammer/indimail:rockylinux8 Trying to pull docker.io/cprogrammer/indimail:rockylinux8... Getting image source signatures Copying blob 8e0fd9e8bca9 skipped: already exists Copying blob 5461c86c2e54 skipped: already exists Copying blob dd6dc7d0a3df skipped: already exists Copying config 274da2d2b6 done Writing manifest to image destination Storing signatures 274da2d2b6d794b20146c55ba394b0e4ab14a1417ba44036a57eb1d3e83e8a78

Step 3 works not

podman run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587 274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048 ✔ docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest Trying to pull docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest... Error: initializing source docker://274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048:latest: reading manifest latest in docker.io/library/274da2d2b6d72e11d469150726b874e808d9ad967b8c8c9a2629edee4186c1e827406828f048: errors: denied: requested access to the resource is denied unauthorized: authentication required

mbhangui commented 1 year ago

The error is because of error in step 3. Either you have to use docker throughout or you have to use podman throughout. As in

  1. docker pull cprogrammer/indimail:rockylinux8 -- Fine

In step 3 replace podman with docker. i.e.

docker run --rm -d --publish-all --name indimail -h indimail.org --cap-add SYS_PTRACE --cap-add SYS_ADMIN --cap-add IPC_LOCK --cap-add SYS_RESOURCE --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW --cap-add=SYS_NICE -p 2025:25 -p 2587:587
schengawegga commented 1 year ago

i found the problem. I used the wrong signature hash. Sorry, but i am not very known in docker/podman. Now it works. Thanks for your support. So now i can check the SCRAM-Authentication on my VM.

mbhangui commented 1 year ago

Install gsasl package on your local machine where you are running the container. The gsasl command was the most useful tool for me when building SCRAM authentication. Now the docker run command I gave maps port 2587 on the local machine to port 587 on the container. The gsasl command also prints the SMTP dialog on the screen.

Once you have created a user on the container, you can connect and test authentication like this. You can create two users. One with SCRAM-SHA-256 and the other with SCRAM-SHA-1.

And then for each mechanism, you have two methods (the non-plus variant where you don't do channel binding and the PLUS variant where you do channel binding).

a) without channel binding
$ gsasl -d --no-cb --hostname=argos.indimail.org --x509-ca-file="" -a testuser01@example.com --password 'somepassword' --mechanism SCRAM-SHA-256 --smtp --connect localhost:2587

b) or you can use channel binding
$ gsasl -d --hostname=argos.indimail.org --x509-ca-file="" -a testuser01@example.com --password 'somepassword' --mechanism SCRAM-SHA-256-PLUS --smtp --connect localhost:2587
schengawegga commented 1 year ago

@mbhangui Thanks for your support. The pull request for adding SCRAM support is already done. Next steps will be adding SCRAM-PLUS support. For this, the PEAR/Auth_SASL Class must support channel binding. I will try to do a pull request there. But a first question to you. Do your container indimail support channel binding?

mbhangui commented 1 year ago

Do your container indimail support channel binding?

Yes it does support channel binding (SCRAM-SHA1-PLUS and SCRAM-SHA256-PLUS) but not SCRAM-SHA512-PLUS

mbhangui commented 1 year ago

Additionally you will need to create users which support channel binding

indimail.org:(root) / > vadddomain example.com password
indimail.org:(root) / > vadduser -C -m SCRAM-SHA-1-PLUS -d tesuser01@example.com sompassword
indimail.org:(root) / > vadduser -C -m SCRAM-SHA-256-PLUS -d testuser02@example.com somepassword
schengawegga commented 1 year ago

@mbhangui Thanks for the example. I will try this soon.

schengawegga commented 1 year ago

@mbhangui can you send me the vadduser statements for adding users with CRAM-MD5 and DIGEST-MD5 authentication methods? Then I can check several changes in pear/Net_SMTP and pear/Auth_SASL Thank you.

Neustradamus commented 1 year ago

@mbhangui: Have you seen the last @schengawegga comment?

mbhangui commented 1 year ago

@mbhangui can you send me the vadduser statements for adding users with CRAM-MD5 and DIGEST-MD5 authentication methods? Then I can check several changes in pear/Net_SMTP and pear/Auth_SASL Thank you.

Totally slipped my mind that I have to reply. Here is the command. You just have to use -C option and it will support all CRAM methods. The -C option can be used with SCRAM methods too. However, the default setting of SMTP service in indimail doesn't support CRAM because of the danger of storing clear text passwords in the database. If someone steals the database, the person will walk away happily with un-encrypted passwords. To enable CRAM in SMTP a one time setting of ENABLE_CRAM variable is required, which is given below

create a user that supports all CRAM Methods
# vadduser -C testuser01@example.com somepassword

Enable CRAM authentication in SMTP service

# echo 1 > /service/qmail-smtpd.587/variables/ENABLE_CRAM

Restart SMTPD

# svc -r /service/qmail-smtpd.587

Test using swaks. You can use port 2587 on your host where you are running docker command. If doing the test in the container then use port 587

Test CRAM-MD5 using swaks

swaks --to testuser01@example.com --from testuser01@example.com --server localhost --port 587 -a CRAM-MD5 -au testuser01@example.com -ap somepassword

Test DIGEST-MD5 using swaks
swaks --to testuser01@example.com --from testuser01@example.com --server localhost --port 587 -a DIGEST-MD5 -au testuser01@example.com -ap somepassword

In fact You can use use CRAM-MD5 CRAM-SHA1 CRAM-SHA224 CRAM-SHA256 CRAM-SHA384 CRAM-SHA512 CRAM-RIPEMD DIGEST-MD5 methods if the client support those methods

There is a detailed topic on setting up authenticated smtp mechanisms in indimail here. But feel free to post any doubts/clarification here itself

mbhangui commented 1 year ago

@mbhangui: Have you seen the last @schengawegga comment?

Thanks for reminding me. It had totally slipped my mind as I was busy planning a vacation. I have updated the above post with few things that I had missed out

schengawegga commented 10 months ago

@mbhangui Do indimail support XOAuth and OAuthbearer? And how do i configure this methods? Thanks you :-)

mbhangui commented 10 months ago

On Tue, 9 Jan 2024 at 04:44, Armin Graefe @.***> wrote:

@mbhangui https://github.com/mbhangui Do indimail support XOAuth and OAuthbearer? And how do i configure this methods? Thanks you :-)

No. None of these two are supported ATM.