Article 3297 Subject Re: Alternate Authentication Mechanisms on atozedsoftware.indy.protocol.smtp

Article

From:

"Remy Lebeau \(Indy Team\)"

📋

To:

Frank Bishop

Subject:

Re: Alternate Authentication Mechanisms

Newsgroup:

atozedsoftware.indy.protocol.smtp

14-Oct-2009

Re: Alternate Authentication Mechanisms

"Frank Bishop" <✉fairpoint.net> wrote in message 
news:✉fairpoint.net...

> In order to determine which authentication mechanisms a particular server 
> has I can use telnet and run the EHLO command <snip>
> So they all seem to support LOGIN

Yes.

> GSSAPI and NTLM are not yet implemented in INDY 10.5.7

NTLM is.  Look at the TIdSASLNTLM component.

> What does the = in
>
> 250-AUTH GSSAPI NTLM LOGIN
> 250-AUTH=LOGIN
>
> denote ?

That was an older AUTH syntax before AUTH was standardized.  It is 
maintainder for backwards compatibility.  You need to merge both AUTH values 
together before then testing for available schemes.  The 
TIdSMTP.SASLMechanisms collection does that automatically for you when 
performing its internal comparisons.

> Or I can just let indy try them in the order I add them to the 
> SASLMechanisms collection

The order in the AUTH lines is not important.  TIdSMTP does attempt them in 
the other that they appear in the SASLMechanisms collection.

> So what might be a reasonable order based on experience?

Most secure to least secure.

>     IdSASLCRAMMD5 := TIdSASLCRAMMD5.Create(IdSMTP);
>     IdSASLCRAMMD5.UserPassProvider := IdUserPassProvider;
>
>     IdSASLCRAMSHA1 := TIdSASLCRAMSHA1.Create(IdSMTP);
>     IdSASLCRAMSHA1.UserPassProvider := IdUserPassProvider;

SHA-1 is more secure than MD5.  MD5 has already been cracked.  SHA-1 has not 
yet.

>     IdSASLPlain := TIdSASLPlain.Create(IdSMTP);
>     IdSASLPlain.UserPassProvider := IdUserPassProvider;
>
>     IdSASLLogin := TIdSASLLogin.Create(IdSMTP);  // same as sasDefault
>     IdSASLLogin.UserPassProvider := IdUserPassProvider;

Those are the least secure.  They should be last (LOGIN before PLAIN).

> with IdSMTP.SASLMechanisms.Add do
> begin
>    SASL := IdSASLCRAMMD5;
>    SASL := IdSASLCRAMSHA1;
>    SASL := IdSASLPlain;
>    SASL := IdSASLLogin;
>    SASL := IdSASLSKey;
>    SASL := IdSASLOTP;
>    SASL := IdSASLAnonymous;
>    SASL := IdSASLExternal;
> end;

That is not the correct use of the SASLMechanisms collection.  Using a with 
statement like that, you are only adding 1 entry, and it will be set to 
IdSASLExternal only.  You need to call Add() for each TIdSASL... component 
individually instead, ie:


IdSMTP.SASLMechanisms.Add.SASL := IdSASLCRAMSHA1;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLCRAMMD5;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLSKey;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLOTP;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLAnonymous;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLExternal;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLLogin;
IdSMTP.SASLMechanisms.Add.SASL := IdSASLPlain;


-- 
Remy Lebeau (Indy Team)

FYI: Phrase searches are enclosed in either single or double quotes