Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add SCRAM support in indimail-mta #32

Merged
merged 8 commits into from
Jul 31, 2022
Merged

add SCRAM support in indimail-mta #32

merged 8 commits into from
Jul 31, 2022

Conversation

mbhangui
Copy link
Member

@mbhangui mbhangui commented Jul 21, 2022
edited
Loading

Add feature as per #30
Add support for the following AUTH methods

  1. SCRAM-SHA-1
  2. SCRAM-SHA-256
  3. SCRAM-SHA-512

The biggest issue is understanding the RFCs as they are quite dense with sparse comments. The best explantion for SCRAM comes from this stackoverflow post
https://stackoverflow.com/questions/29298346/xmpp-sasl-scram-sha1-authentication

Will be using the above document to add the support. However, I still haven't been able to understand the PLUS methods.

SCRAM-SHA-1-PLUS
SCRAM-SHA-256-PLUS
SCRAM-SHA-512-PLUS

The support for the above will not be attempted unless I get a good document on how to achieve the above.

mbhangui referenced this pull request Jul 27, 2022
@mbhangui
added AUTH CRAM-SHA224, CRAM-SHA384 methods
cc0a24d
@mbhangui
Copy link
Member Author

@Neustradamus FYI

@Neustradamus
Copy link

@mbhangui: Thanks a lot for your improvements! :)

You can see for -PLUS variants (with TLS Binding) too for more security.

cc: @jas4711.

@Neustradamus
Copy link

@mbhangui: Attention: SCRAM-SHA-512 and SCRAM-SHA-512-PLUS are not yet supported by gsasl.

@mbhangui
Copy link
Member Author

I still have to do some changes. One is modify the action scripts to pull the GNU SASL library. Other is to call gsasl_init() during smtp initialization rather than callling it every time someone does a AUTH SCRAM-SHA-???

@mbhangui
Copy link
Member Author

@mbhangui: Attention: SCRAM-SHA-512 and SCRAM-SHA-512-PLUS are not yet supported by gsasl.

Yes. I noticed that. Cyrus SASL supports but I found the docs lacking and hence sticking with gnu sasl.

@Neustradamus
Copy link

About Cyrus SASL, you can request help here:

This was referenced Jul 28, 2022
Closed
Closed
@mbhangui
Copy link
Member Author

As it turns out, libgsasl-devel isn't available for the following platforms on openSUSE Build Service. Indimail-mta binaries published on OBS will not have SCRAM-SHA-1, SCRAM-SHA-256 auth methods on the following platforms

  1. CentOS
  2. RHEL
  3. SLES
  4. Scientific Linux

They will be avaialable for the following platforms

  1. Fedora Core
  2. Debian
  3. Ubuntu
  4. Arch Linux
  5. Univention
  6. openSUSE Leap
  7. openSUSE Tumbleweed

@jas4711
Copy link

jas4711 commented Jul 29, 2022

Thanks for adding code for this!

As it turns out, libgsasl-devel isn't available for the following platforms on openSUSE Build Service. Indimail-mta binaries published on OBS will not have SCRAM-SHA-1, SCRAM-SHA-256 auth methods on the following platforms

1. CentOS

2. RHEL

3. SLES

4. Scientific Linux

According to https://pkgs.org/search/?q=libgsasl-devel it is available via EPEL, maybe it is just a matter of doing the following:

dnf -y install epel-release libgsasl-devel

/Simon

@mbhangui
Copy link
Member Author

According to https://pkgs.org/search/?q=libgsasl-devel it is available via EPEL, maybe it is just a matter of doing the following:

dnf -y install epel-release libgsasl-devel

The opensuse build services run a virtual machine with read-only filesystem for / and /usr. So one cannot install any new repository. But I have left a message for the OBS team to look at adding libgsasl-devel as part of the default list of packages that get installed for all distributions. The team is usually responsive. If they don't, I can always dlopen libgsasl and provide SCRAM-SHA-1 and SCRAM-SHA-256

And last but not the least, thank you @jas4711 for the SCRAM code in gsasl. Reading the RFCs drove me nuts and cyrus sasl too wasn't that easy. The examples directory was the greatest help and the documentation too is quite good.

@mbhangui mbhangui merged commit ac1b4a0 into master Jul 31, 2022
@mbhangui mbhangui deleted the scram branch July 31, 2022 02:36
@mbhangui mbhangui mentioned this pull request Jul 31, 2022
Closed
@Neustradamus
Copy link

@mbhangui: Thanks for your good job! :)

We can thank @jas4711 who has worked on the support of the new security RFC in GNU SASL:

Little details, to know easily:

  • tls-unique for TLS =< 1.2
  • tls-exporter for TLS = 1.3

Can you look?
Maybe you can try before the Simon PR merging to add support in indimail?

Thanks in advance.

@Neustradamus
Copy link

@mbhangui: Good news!
@jas4711 has released a gsasl 2.1.0 beta version with RFC9266 support:

PS: Exim has -PLUS support and uses gsasl too:

@mbhangui
Copy link
Member Author

@Neustradamus Support for both SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS has been added with pull request #33. I'm currently using gsasl-2.0.1.8-90f5 for tls-exporter channel binding. I have tested tls-exporter using TLSv_1.3 and tls-unique using TLSv_1.2. Till now I have found absolutely zero issues in using gsasl. I have added code for SCRAM-SHA-512 and SCRAM-SHA-512-PLUS which I will enable the day support for the same is added in gsasl.

Currently I'm adding few #ifdefs which disables the channel binding code for older versions for gsasl which do not support tls-unique and tls-exporter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mbhangui @Neustradamus @jas4711