implement the plus variants of scram, to bind the authentication exchange to the tls connection

to get the security benefits (detecting mitm attempts), explicitly configure
clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately,
not many clients support it yet.

imapserver scram plus support seems to work with the latest imtest (imap test
client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
This commit is contained in:
Mechiel Lukkien
2023-12-23 23:07:21 +01:00
parent 4701857d7f
commit e7478ed6ac
23 changed files with 690 additions and 189 deletions

View File

@ -501,8 +501,10 @@ describe-static" and "mox config describe-domains":
Username:
Password:
# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
# CRAM-MD5. Not included by default: PLAIN. (optional)
# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
# PLAIN. Specify the strongest mechanism known to be implemented by the server to
# prevent mechanism downgrade attacks. (optional)
Mechanisms:
-
@ -532,8 +534,10 @@ describe-static" and "mox config describe-domains":
Username:
Password:
# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
# CRAM-MD5. Not included by default: PLAIN. (optional)
# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
# PLAIN. Specify the strongest mechanism known to be implemented by the server to
# prevent mechanism downgrade attacks. (optional)
Mechanisms:
-
@ -563,8 +567,10 @@ describe-static" and "mox config describe-domains":
Username:
Password:
# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
# CRAM-MD5. Not included by default: PLAIN. (optional)
# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
# PLAIN. Specify the strongest mechanism known to be implemented by the server to
# prevent mechanism downgrade attacks. (optional)
Mechanisms:
-