-
Notifications
You must be signed in to change notification settings - Fork 38
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384 and SCRA…
…M-SHA-512 support (#76) * SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) supports #57 * Update README.rst * Sort authentication methods alphabetical and mark CRAM-MD5, DIGEST-MD5 and LOGIN as DEPRECATED
- Loading branch information
1 parent
d7b3f6a
commit 0eef319
Showing
2 changed files
with
235 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,8 +6,11 @@ | |
User Documentation | ||
-------------------- | ||
|
||
:Author: Jon Parise | ||
:Contact: [email protected] | ||
+--------+-----------+----------------------+ | ||
|Author: |Jon Parise |Armin Graefe | | ||
+--------+-----------+----------------------+ | ||
|Contact:|[email protected]|[email protected]| | ||
+--------+-----------+----------------------+ | ||
|
||
.. contents:: Table of Contents | ||
.. section-numbering:: | ||
|
@@ -41,9 +44,9 @@ The ``Auth_SASL`` Package | |
------------------------- | ||
|
||
The `Auth_SASL`_ package is an optional dependency. If it is available, the | ||
Net_SMTP package will be able to support the DIGEST-MD5_ and CRAM-MD5_ SMTP | ||
authentication methods. Otherwise, only the LOGIN_ and PLAIN_ methods will | ||
be available. | ||
Net_SMTP package will be able to support the DIGEST-MD5_, CRAM-MD5_ and | ||
SCRAM-SHA_ SMTP authentication methods. Otherwise, only the LOGIN_ and | ||
PLAIN_ methods will be available. | ||
|
||
Error Handling | ||
============== | ||
|
@@ -67,25 +70,25 @@ methods, in order of preference: | |
|
||
.. _RFC-2554: https://www.ietf.org/rfc/rfc2554.txt | ||
|
||
GSSAPI | ||
------ | ||
CRAM-MD5 (DEPRECATED) | ||
-------- | ||
|
||
The GSSAPI authentication method uses Kerberos 5 protocol (RFC-4120_). | ||
Does not use user/password. | ||
Requires Service Principal ``gssapi_principal`` parameter and | ||
has an optional Credentials Cache ``gssapi_cname`` parameter. | ||
Requires DNS and Key Distribution Center (KDC) setup. | ||
It is considered the most secure method of SMTP authentication. | ||
**DEPRECATED** | ||
This authentication method is no longer secure and should be avoided. | ||
|
||
**Note:** The GSSAPI authentication method is only supported | ||
if the krb5_ php extension is available. | ||
The CRAM-MD5 authentication method has been superseded by the DIGEST-MD5_ | ||
method in terms of security. It is provided here for compatibility with | ||
older SMTP servers that may not support the newer DIGEST-MD5 algorithm. | ||
|
||
.. _RFC-4120: https://tools.ietf.org/html/rfc4120 | ||
.. _krb5: https://pecl.php.net/package/krb5 | ||
**Note:** The CRAM-MD5 authentication method is only supported if the | ||
AUTH_SASL_ package is available. | ||
|
||
DIGEST-MD5 | ||
DIGEST-MD5 (DEPRECATED) | ||
---------- | ||
|
||
**DEPRECATED** | ||
This authentication method is no longer secure and should be avoided. | ||
|
||
The DIGEST-MD5 authentication method uses `RSA Data Security Inc.`_'s MD5 | ||
Message Digest algorithm. It is considered a more secure method of SMTP | ||
authentication than PLAIN or LOGIN, while still vulnerable to MitM attacks | ||
|
@@ -96,31 +99,54 @@ AUTH_SASL_ package is available. | |
|
||
.. _RSA Data Security Inc.: https://www.rsasecurity.com/ | ||
|
||
CRAM-MD5 | ||
-------- | ||
GSSAPI | ||
------ | ||
|
||
The CRAM-MD5 authentication method has been superseded by the DIGEST-MD5_ | ||
method in terms of security. It is provided here for compatibility with | ||
older SMTP servers that may not support the newer DIGEST-MD5 algorithm. | ||
The GSSAPI authentication method uses Kerberos 5 protocol (RFC-4120_). | ||
Does not use user/password. | ||
Requires Service Principal ``gssapi_principal`` parameter and | ||
has an optional Credentials Cache ``gssapi_cname`` parameter. | ||
Requires DNS and Key Distribution Center (KDC) setup. | ||
It is considered the most secure method of SMTP authentication. | ||
|
||
**Note:** The CRAM-MD5 authentication method is only supported if the | ||
AUTH_SASL_ package is available. | ||
**Note:** The GSSAPI authentication method is only supported | ||
if the krb5_ php extension is available. | ||
|
||
LOGIN | ||
.. _RFC-4120: https://tools.ietf.org/html/rfc4120 | ||
.. _krb5: https://pecl.php.net/package/krb5 | ||
|
||
LOGIN (DEPRECATED) | ||
----- | ||
|
||
**DEPRECATED** | ||
This authentication method is no longer secure and should be avoided. | ||
|
||
The LOGIN authentication method encrypts the user's password using the | ||
Base64_ encoding scheme. Because decrypting a Base64-encoded string is | ||
trivial, LOGIN is not considered a secure authentication method and should | ||
be avoided. | ||
trivial. | ||
|
||
.. _Base64: https://www.php.net/manual/en/function.base64-encode.php | ||
|
||
PLAIN | ||
----- | ||
|
||
This authentication method is no longer secure and should only be used | ||
local or via an TLS encrypted connection. | ||
|
||
The PLAIN authentication method sends the user's password in plain text. | ||
This method of authentication is not secure and should be avoided. | ||
|
||
SCRAM | ||
-------- | ||
|
||
In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) | ||
is a family of modern, password-based challenge–response authentication mechanisms | ||
providing authentication to a server. | ||
|
||
Available mechanisms are SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384 | ||
and SCRAM-SHA-512. | ||
|
||
**Note:** The SCRAM-SHA authentication method is only supported if the | ||
AUTH_SASL_ package is available. | ||
|
||
XOAUTH2 | ||
------- | ||
|