[squirrelmail.git] / doc / authentication.txt

**********************************************
IMAP AND SMTP AUTHENTICATION WITH SQUIRRELMAIL
$Id$
Chris Hilts tassium@squirrelmail.org
**********************************************

Prior to SquirrelMail 1.3.3, only plaintext logins for IMAP and SMTP were
supported.  With the release of SquirrelMail 1.3.3, support for the
CRAM-MD5 and DIGEST-MD5 auth mechanisms has been added.  TLS support has
also been added.  It is possible to use different methods for both IMAP and
SMTP. TLS is able to be enabled on a per-service basis as well.
Unless the administrator changes the authentication methods, SquirrelMail
will default to the "classic" plaintext methods, without TLS.

Note: There is no point in using TLS if your IMAP server is localhost. You need
root to sniff the loopback interface, and if you don't trust root, or an attacker
already has root, the game is over.  You've got a lot more to worry about beyond
having the loopback interface sniffed.

REQUIREMENTS
------------

CRAM/DIGEST-MD5
* SquirrelMail 1.3.3 or higher
* If you have the mhash extension to PHP, it will automatically
  be used, which may help performance on heavily loaded servers.
  ** NOTE: mhash is optional and no longer a requirement **

TLS
* SquirrelMail 1.3.3 or higher
* PHP 4.3.0 or higher (Check Release Notes for PHP 4.3.x information)
* The "STARTTLS" command is NOT supported.  The server you wish to use TLS
  on must have a dedicated port listening for TLS connections. (ie. port
  993 for IMAP, 465 for SMTP)
* If you use PHP 4.3.x, OpenSSL support must be compiled staticly. See
  PHP bug #29934 (http://bugs.php.net/bug.php?id=29934)

CONFIGURATION
-------------

All configuration is done using conf.pl, under main menu option #2.

conf.pl can now attempt to detect which mechanisms your servers support.
You must have set the host and port before attempting to detect, or you
may get inaccurate results, or a long wait while the connection times out.

If you get results that you know are wrong when you use auto-detection, I
need to know about it. Please send me the results you got, the results you
expected, and server type, name, and version (eg. "imap, Cyrus, v2.1.9").

KNOWN ISSUES
------------

DIGEST-MD5 has three different methods of operation. (qop options "auth",
"auth-int" and "auth-conf").  This implementation currently supports "auth"
only.  Work is being done to add the other two modes.

DIGEST-MD5 _may_ fail when authenticating with servers that supply more
than one "realm".  I have no servers of this type to test on, so if you do
and it fails, let me know!  (A big help would be for you to telnet to your
server, start a DIGEST-MD5 auth session, and include the challenge from the
server in your bug report.)

To get the challenge with IMAP:
   telnet <your server> imap
   [server says hello]
   A01 AUTHENTICATE DIGEST-MD5
   <copy the gobbledygook that the server sends - this is what I need>
   *
   [server says auth aborted]
   A02 LOGOUT
   [server says goodbye, closes connection]

To get the challenge with SMTP:
   telnet <your server> smtp
   [server sends some sort of "hello" banner]
   EHLO myhostname
   [server will probably list a bunch of capabilities]
   AUTH DIGEST-MD5
   <copy the gobbledygook that the server sends - this is what I need>
   *
   [server says auth aborted]
   QUIT
   [server says bye, closes connection]


OPTIONAL SMTP AUTH CONFIGURATION
--------------------------------

If you need all users to send mail via an upstream SMTP provider
(your ISP, for example), and that ISP requires authentication,
there are two variables that can be added to config_local.php
that will specify a sitewide SMTP username and password.

Set up SMTP authentication to the remote server according to the
instructions above, then add the following to config_local.php,
replacing <smtp_user> and <smtp_pass> with the username and password
you'd like to use for the entire site:

   $smtp_sitewide_user = '<smtp_user>';
   $smtp_sitewide_pass = '<smtp_pass>';

These values will be used to connect to the SMTP server as long
as the authentication mechanism is something besides 'none', i.e.
'login','plain','cram-md5', or 'digest-md5'.


[End]
Commit	Line	Data
03814228	1	**********************************************
03814228	2	IMAP AND SMTP AUTHENTICATION WITH SQUIRRELMAIL
2f854f5f	3	$Id$
2f854f5f	4	Chris Hilts tassium@squirrelmail.org
03814228	5	**********************************************
	6
	7	Prior to SquirrelMail 1.3.3, only plaintext logins for IMAP and SMTP were
	8	supported. With the release of SquirrelMail 1.3.3, support for the
	9	CRAM-MD5 and DIGEST-MD5 auth mechanisms has been added. TLS support has
	10	also been added. It is possible to use different methods for both IMAP and
	11	SMTP. TLS is able to be enabled on a per-service basis as well.
	12	Unless the administrator changes the authentication methods, SquirrelMail
	13	will default to the "classic" plaintext methods, without TLS.
	14
a8855d9c	15	Note: There is no point in using TLS if your IMAP server is localhost. You need
	16	root to sniff the loopback interface, and if you don't trust root, or an attacker
	17	already has root, the game is over. You've got a lot more to worry about beyond
	18	having the loopback interface sniffed.
	19
03814228	20	REQUIREMENTS
	21	------------
	22
	23	CRAM/DIGEST-MD5
	24	* SquirrelMail 1.3.3 or higher
639c7164	25	* If you have the mhash extension to PHP, it will automatically
	26	be used, which may help performance on heavily loaded servers.
	27	NOTE: mhash is optional and no longer a requirement
03814228	28
	29	TLS
	30	* SquirrelMail 1.3.3 or higher
a8855d9c	31	* PHP 4.3.0 or higher (Check Release Notes for PHP 4.3.x information)
03814228	32	* The "STARTTLS" command is NOT supported. The server you wish to use TLS
03814228	33	on must have a dedicated port listening for TLS connections. (ie. port
e50f5ac2	34	993 for IMAP, 465 for SMTP)
ad82f7c1	35	* If you use PHP 4.3.x, OpenSSL support must be compiled staticly. See
ad82f7c1	36	PHP bug #29934 (http://bugs.php.net/bug.php?id=29934)
03814228	37
	38	CONFIGURATION
	39	-------------
	40
	41	All configuration is done using conf.pl, under main menu option #2.
	42
1c6d997a	43	conf.pl can now attempt to detect which mechanisms your servers support.
	44	You must have set the host and port before attempting to detect, or you
	45	may get inaccurate results, or a long wait while the connection times out.
	46
	47	If you get results that you know are wrong when you use auto-detection, I
	48	need to know about it. Please send me the results you got, the results you
	49	expected, and server type, name, and version (eg. "imap, Cyrus, v2.1.9").
	50
03814228	51	KNOWN ISSUES
	52	------------
	53
	54	DIGEST-MD5 has three different methods of operation. (qop options "auth",
	55	"auth-int" and "auth-conf"). This implementation currently supports "auth"
	56	only. Work is being done to add the other two modes.
	57
	58	DIGEST-MD5 _may_ fail when authenticating with servers that supply more
	59	than one "realm". I have no servers of this type to test on, so if you do
	60	and it fails, let me know! (A big help would be for you to telnet to your
	61	server, start a DIGEST-MD5 auth session, and include the challenge from the
	62	server in your bug report.)
	63
	64	To get the challenge with IMAP:
e50f5ac2	65	telnet <your server> imap
	66	[server says hello]
	67	A01 AUTHENTICATE DIGEST-MD5
	68	<copy the gobbledygook that the server sends - this is what I need>
	69	*
	70	[server says auth aborted]
	71	A02 LOGOUT
	72	[server says goodbye, closes connection]
03814228	73
03814228	74	To get the challenge with SMTP:
e50f5ac2	75	telnet <your server> smtp
	76	[server sends some sort of "hello" banner]
	77	EHLO myhostname
	78	[server will probably list a bunch of capabilities]
	79	AUTH DIGEST-MD5
	80	<copy the gobbledygook that the server sends - this is what I need>
	81	*
	82	[server says auth aborted]
	83	QUIT
	84	[server says bye, closes connection]
03814228	85
c475d271	86
	87	OPTIONAL SMTP AUTH CONFIGURATION
	88	--------------------------------
	89
	90	If you need all users to send mail via an upstream SMTP provider
	91	(your ISP, for example), and that ISP requires authentication,
	92	there are two variables that can be added to config_local.php
	93	that will specify a sitewide SMTP username and password.
	94
e50f5ac2	95	Set up SMTP authentication to the remote server according to the
e50f5ac2	96	instructions above, then add the following to config_local.php,
c475d271	97	replacing <smtp_user> and <smtp_pass> with the username and password
	98	you'd like to use for the entire site:
	99
e50f5ac2	100	$smtp_sitewide_user = '<smtp_user>';
e50f5ac2	101	$smtp_sitewide_pass = '<smtp_pass>';
c475d271	102
	103	These values will be used to connect to the SMTP server as long
	104	as the authentication mechanism is something besides 'none', i.e.
	105	'login','plain','cram-md5', or 'digest-md5'.
	106
	107
03814228	108	[End]