SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports

Neustradamus commented 1 year ago

Which feature or improvement would you like to request?

Dear @stalwartlabs team,

Can you add supports of :

SCRAM-SHA-1
SCRAM-SHA-1-PLUS
SCRAM-SHA-256
SCRAM-SHA-256-PLUS
SCRAM-SHA-512
SCRAM-SHA-512-PLUS
SCRAM-SHA3-512
SCRAM-SHA3-512-PLUS

You can add too:

SCRAM-SHA-224
SCRAM-SHA-224-PLUS
SCRAM-SHA-384
SCRAM-SHA-384-PLUS

A "big" list has been done in last link of this ticket.

SCRAM-SHA-1(-PLUS):

SCRAM-SHA-256(-PLUS):

https://tools.ietf.org/html/rfc7677 since 2015-11-02
https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

https://tools.ietf.org/html/draft-melnikov-scram-bis

-PLUS variants:

RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

JMAP:

RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: https://tools.ietf.org/html/rfc8621

2FA:

Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa

IANA:

Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

Is your feature request related to a problem?

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Neustradamus commented 10 months ago

@stappersg: I have done a ticket to the @stalwartlabs dev team to add the support of the best security and to be compatible with the World. It is important to inform people... SCRAM exists since 2011 and replace several old unsecure password hashes. It is not an aggression.

For example, you can see it is needed, it has been, officially, added by default in:

RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051
RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: https://tools.ietf.org/html/rfc8621

mdecimus commented 10 months ago

Hi @Neustradamus -- please disregard this person's comment. They have been banned from this repository for violating the code of conduct multiple times. Support for SCRAM is in the roadmap and should be implemented during the first months of 2024.

Neustradamus commented 10 months ago

@mdecimus: Thanks for your answer, good news, can not wait the moment ^^

I have not done the ticket in all repositories:

I will add the ticket to add Channel Binding (linked to SCRAM-SHA-*-PLUS variants) and another one to move old unsecure hashes to history.

mdecimus commented 10 months ago

I have not done the ticket in all repositories

Not necessary, once it is implemented here it will propagate to all other repositories.

Neustradamus commented 10 months ago

Yes, it was the original goal :)

stalwartlabs / mail-server