headers
Simon Josefsson | 23 Sep 2009 20:19
Favicon
Gravatar

IMAP extension for SASL additional information


Do IMAP support SASL authentication where the server returns additional
information together with success?  As far as I can tell from section
6.2.2 of RFC 3501 it does not, but I may be missing something.

Is there interest in an extension, say "SASL-AD", to provide this
capability?

It could work like this:

C: . CAPABILITY
S: * CAPABILITY SASL-AD
C: . AUTHENTICATE SCRAM-SHA-1 - SASL-AD
S: + 
C: client-first-b64-string
S: + server-first-b64-string
C: client-final-b64-string
S: . OK [SASL-AD server-final-b64-string]

When used together with SASL-IR, an exchange could look like:

C: . CAPABILITY
S: * CAPABILITY SASL-IR SASL-AD
C: . AUTHENTICATE SCRAM-SHA-1 client-first-b64-string SASL-AD
S: + server-first-b64-string
C: client-final-b64-string
S: . OK [SASL-AD server-final-b64-string]

Using "-" allows clients to avoid sending a client-first even if the
server announces support for SASL-IR, thus enabling:
(Continue reading)

Permalink | Reply |
headers
Alexey Melnikov | 23 Sep 2009 22:09
Favicon

[Imap-protocol] Re: IMAP extension for SASL additional information

On Wed, Sep 23, 2009 at 7:19 PM, Simon Josefsson <simon <at> josefsson.org> wrote:
>
> Do IMAP support SASL authentication where the server returns additional
> information together with success?

No. The server would need to send data as a normal SASL challenge,
then the client would answer with an empty response.

> As far as I can tell from section
> 6.2.2 of RFC 3501 it does not, but I may be missing something.
_______________________________________________
Imap-protocol mailing list
Imap-protocol <at> u.washington.edu
http://mailman2.u.washington.edu/mailman/listinfo/imap-protocol
Permalink | Reply |
headers
Abhijit Menon-Sen | 17 Jul 2008 02:15
Favicon

[Imap-protocol] Re: issue with the iPhone IMAP client

At 2008-07-16 16:32:54 -0700, janssen <at> parc.com wrote:
>
> C: 1 STARTTLS\r\n
> 
> [handshake takes place]
> 
> S: 1 OK STARTTLS completed\r\n

You should send this OK when you receive the STARTTLS command and before
you start the TLS negotiation.

-- ams
_______________________________________________
Imap-protocol mailing list
Imap-protocol <at> u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-protocol
Permalink | Reply |
headers
Abhijit Menon-Sen | 31 Jan 2008 08:38
Favicon

[Imap-protocol] Re: Thunderbird confused by post-authenticate CAPABILITY change?

At 2008-01-28 11:45:29 -0800, janssen <at> parc.com wrote:
>
> After the channel is encrypted, but before any authentication, I send
>
> (2) IMAP4rev1 SASL-IR AUTH=PLAIN
>
> By the way, is this legal?

Yes, it's fine to omit STARTTLS after TLS is negotiated.

-- ams
_______________________________________________
Imap-protocol mailing list
Imap-protocol <at> u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-protocol
Permalink | Reply |

Gmane