mirror of
https://github.com/mjl-/mox.git
synced 2025-07-10 09:54:40 +03:00
implement the plus variants of scram, to bind the authentication exchange to the tls connection
to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
This commit is contained in:
@ -881,7 +881,9 @@ func PrepareStaticConfig(ctx context.Context, log mlog.Log, configFile string, c
|
||||
}
|
||||
seen[m] = true
|
||||
switch m {
|
||||
case "SCRAM-SHA-256-PLUS":
|
||||
case "SCRAM-SHA-256":
|
||||
case "SCRAM-SHA-1-PLUS":
|
||||
case "SCRAM-SHA-1":
|
||||
case "CRAM-MD5":
|
||||
case "PLAIN":
|
||||
@ -892,7 +894,7 @@ func PrepareStaticConfig(ctx context.Context, log mlog.Log, configFile string, c
|
||||
|
||||
t.Auth.EffectiveMechanisms = t.Auth.Mechanisms
|
||||
if len(t.Auth.EffectiveMechanisms) == 0 {
|
||||
t.Auth.EffectiveMechanisms = []string{"SCRAM-SHA-256", "SCRAM-SHA-1", "CRAM-MD5"}
|
||||
t.Auth.EffectiveMechanisms = []string{"SCRAM-SHA-256-PLUS", "SCRAM-SHA-256", "SCRAM-SHA-1-PLUS", "SCRAM-SHA-1", "CRAM-MD5"}
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user