SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports

[Neustradamus]

Dear @gen-smtp team,

In first, I wish you a Happy New Year!

Can you add supports of:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS
• SCRAM-SHA3-512
• SCRAM-SHA3-512-PLUS

You can add too:

• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS

Important history:

CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 // 20 November 2008
• https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00 // June 29, 2017

RFC6331: Moving DIGEST-MD5 to Historic:

• https://tools.ietf.org/html/rfc6331 // July 2011

RFC8600: https://tools.ietf.org/html/rfc8600 (2019-06-21): https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802].

But in "Best practices for password hashing and storage" expired I-D:

• https://tools.ietf.org/html/draft-ietf-kitten-password-storage

- EXTERNAL
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-1
- PLAIN

---

About Channel Binding (for -PLUS variants):

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056 // November 2007
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929 // July 2010
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266 // July 2022

Some important XEPs:

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2 (RFC5929)
• tls-server-end-point (RFC5929)
• tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

---

SCRAM-SHA-1(-PLUS):

• RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 // July 2010
• RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core: https://tools.ietf.org/html/rfc6120 // March 2011

SCRAM-SHA-256(-PLUS):

• RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677 // 2015-11-02
• RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange: https://tools.ietf.org/html/rfc8600 // 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

• https://tools.ietf.org/html/draft-melnikov-scram-bis

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051 // August 2021

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803 // July 2010

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804 // March 2016

JMAP:

• RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: https://tools.ietf.org/html/rfc8621 // August 2019

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

SASL2:

• Extensible Simple Authentication and Security Layer (SASL): https://tools.ietf.org/html/draft-melnikov-sasl2

Linked to:

• State of Play scram-sasl/info#1

[seriyps]

I implemented SCRAM-SHA-256 for Erlang's postgres driver, it was not the easiest thing =)

Is there a specific usecase? Maybe some overview article about SCRAM in SMTP?

[Neustradamus]

@seriyps: It will be excellent :)

Note, for example, that ProcessOne ejabberd and Erlang Solutions Mongoose IM have the support of SCRAM...

About "Mail", without libs, etc.:
From scram-sasl/info#1.

SCRAM-SHA-1 and SCRAM-SHA-256:

• SquirelMail (Webmail): https://github.com/RealityRipple/squirrelmail
• mpop (POP3 client): https://marlam.de/mpop/
• msmtp (SMTP client): https://marlam.de/msmtp/
• Exim (Mail server): https://bugs.exim.org/show_bug.cgi?id=2349 // Exim uses GNU SASL
• Dovecot 2.3.10 (Mail server): https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ + https://dovecot.org/pipermail/dovecot-news/2020-March/000432.html
• Postfix with Dovecot SASL: https://postfix.org/
• PostfixAdmin with Postfix and Dovecot SASL: https://github.com/postfixadmin

SCRAM-SHA-1, SCRAM-SHA-256, SCRAM-SHA-512:

• SnappyMail (Webmail) : https://github.com/the-djmaze/snappymail + https://snappymail.eu/
• DataEnter CryptoFilter - The S/MIME Gateway: https://www.dataenter.com/beta/cryptofilter.htm
• DataEnter POPBeamer - The Mail Collector: https://www.dataenter.com/beta/popbeamer.htm
• DataEnter SMTPBeamer - The Mail Server: https://www.dataenter.com/beta/smtpbeamer.htm
• DataEnter XWall - The Mail Filter: https://www.dataenter.com/beta/xwall.htm

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-512(-PLUS):

• MimeKit: https://github.com/jstedfast/MailKit + http://www.mimekit.net/docs/html/Introduction.htm
• MailKit: https://github.com/jstedfast/MailKit + http://www.mimekit.net/docs/html/Introduction.htm

SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS), SCRAM-SHA-512(-PLUS):

• Cyrus SASL + Cyrus IMAP (Mail server): https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html
• Postfix with Cyrus SASL: https://postfix.org/
• PostfixAdmin with Postfix and Cyrus SASL: https://github.com/postfixadmin
• Mutt (Mail client) with Cyrus SASL: http://mutt.org/
• NeoMutt (Mail client): https://neomutt.org/

SCRAM-SHA-1:

• Claws Mail (Mail client): IMAP only: https://www.claws-mail.org/
• Dovecot: https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ (Dovecot 2.3.10 has SCRAM-SHA-1 and SCRAM-SHA-256)
• Postfix with Dovecot SASL: https://postfix.org/
• PostfixAdmin with Postfix and Dovecot SASL: https://github.com/postfixadmin

[Neustradamus]

I have added the last RFC in the description: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:

• https://tools.ietf.org/html/rfc9051

I wish you a good reading, I know it is IMAP ^^

[Neustradamus]

Dear @gen-smtp, @seriyps,

I wish you a Happy New Year 2024!

Have you progressed on it?

Thanks in advance.

[Vagabond]

maybe the way to handle this is to make authentication pluggable and then we could make an auth module that used https://github.com/esl/fast_scram ?

[Vagabond]

Actually I guess we could just add it as an optional dep, although SCRAM does seem quite invasive as it appears to take several steps to authenticate. Also we'd need a stringprep implementation.

[seriyps]

We have a stringprep algorithm in epgsql. It could be extracted as a separate app I guess

https://github.com/epgsql/epgsql/blob/devel/src/epgsql_sasl_prep_profile.erl

[Neustradamus]

If you want, there are:

Fast_TLS: TLS / SSL OpenSSL-based native driver for Erlang / Elixir

• https://github.com/processone/fast_tls

Stringprep: Fast Stringprep implementation for Erlang / Elixir

• https://github.com/processone/stringprep

[seriyps]

https://github.com/processone/stringprep is a NIF. Maybe it's ok. But maybe it's not :)

[Vagabond]

its probably going to be hard to do this without any NIFs, because there's a KDF involved

[seriyps]

@Vagabond I mean, Processone's stringprep (unicode password string normalization) is implemented as NIF, while we in epgsql did it in Erlang. Not sure how complete is it, because it was contributed from outside.

We did scram in Erlang as well, but it is quite ad-hoc
https://github.com/epgsql/epgsql/blob/7ba52768cf0ea7d084df24d4275a88eef4db13c2/src/epgsql_scram.erl#L72-L130

[Vagabond]

well, the reason pure-erlang is bad for a KDF is that if the client can do the KDF much faster than the server, than the inclination is to weaken the KDF to retain server performance, which gives a malicious client an advantage.

[seriyps]

Ah, got it. It was ok for epgsql because epgsql is a client, not server