Re: Alternate Authentication Mechanisms

Giganews Newsgroups
Subject: Re: Alternate Authentication Mechanisms
Posted by:  Remy Lebeau \(Indy Team\) (no.spam@no.spam.com)
Date: Tue, 13 Oct 2009

"Frank Bishop" <francis12…@fairpoint.net> wrote in message
news:7EA99FBF6194E340francis12…@fairpoint.net...

> In order to determine which authentication mechanisms a particular server
> has I can use telnet and run the EHLO command
<snip>
> So they all seem to support LOGIN

Yes.

> GSSAPI and NTLM are not yet implemented in INDY 10.5.7

NTLM is.  Look at the TIdSASLNTLM component.

> What does the = in
>
> 250-AUTH GSSAPI NTLM LOGIN
> 250-AUTH=LOGIN
>
> denote ?

That was an older AUTH syntax before AUTH was standardized.  It is
maintainder for backwards compatibility.  You need to merge both AUTH values
together before then testing for available schemes.  The
TIdSMTP.SASLMechanisms collection does that automatically for you when
performing its internal comparisons.

> Or I can just let indy try them in the order I add them to the
> SASLMechanisms collection

The order in the AUTH lines is not important.  TIdSMTP does attempt them in
the other that they appear in the SASLMechanisms collection.

> So what might be a reasonable order based on experience?

Most secure to least secure.

>    IdSASLCRAMMD5 := TIdSASLCRAMMD5.Create(IdSMTP);
>    IdSASLCRAMMD5.UserPassProvider := IdUserPassProvider;
>
>    IdSASLCRAMSHA1 := TIdSASLCRAMSHA1.Create(IdSMTP);
>    IdSASLCRAMSHA1.UserPassProvider := IdUserPassProvider;

SHA-1 is more secure than MD5.  MD5 has already been cracked.  SHA-1 has not
yet.

>    IdSASLPlain := TIdSASLPlain.Create(IdSMTP);
>    IdSASLPlain.UserPassProvider := IdUserPassProvider;
>
>    IdSASLLogin := TIdSASLLogin.Create(IdSMTP);  // same as sasDefault
>    IdSASLLogin.UserPassProvider := IdUserPassProvider;

Those are the least secure.  They should be last (LOGIN before PLAIN).

> with IdSMTP.SASLMechanisms.Add do
> begin
>    SASL := IdSASLCRAMMD5;
>    SASL := IdSASLCRAMSHA1;
>    SASL := IdSASLPlain;
>    SASL := IdSASLLogin;
>    SASL := IdSASLSKey;
>    SASL := IdSASLOTP;
>    SASL := IdSASLAnonymous;
>    SASL := IdSASLExternal;
> end;

That is not the correct use of the SASLMechanisms collection.  Using a with
statement like that, you are only adding 1 entry, and it will be set to
IdSASLExternal only.  You need to call Add() for each TIdSASL... component
individually instead, ie:

IdSMTP.SASLMechanisms.Add.SASL := IdSASLCRAMSHA1;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLCRAMMD5;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLSKey;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLOTP;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLAnonymous;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLExternal;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLLogin;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLPlain;

--
Remy Lebeau (Indy Team)

Replies

In response to

Alternate Authentication Mechanisms posted by Frank Bishop on Tue, 13 Oct 2009