fixesfixes
[squirrelmail.git] / doc / authentication.txt
CommitLineData
03814228 1**********************************************
2IMAP AND SMTP AUTHENTICATION WITH SQUIRRELMAIL
639c7164 3Preliminary documentation - 6 Dec 2002
03814228 4Chris Hilts chilts@birdbrained.org
5**********************************************
6
7Prior to SquirrelMail 1.3.3, only plaintext logins for IMAP and SMTP were
8supported. With the release of SquirrelMail 1.3.3, support for the
9CRAM-MD5 and DIGEST-MD5 auth mechanisms has been added. TLS support has
10also been added. It is possible to use different methods for both IMAP and
11SMTP. TLS is able to be enabled on a per-service basis as well.
12Unless the administrator changes the authentication methods, SquirrelMail
13will default to the "classic" plaintext methods, without TLS.
14
a8855d9c 15Note: There is no point in using TLS if your IMAP server is localhost. You need
16root to sniff the loopback interface, and if you don't trust root, or an attacker
17already has root, the game is over. You've got a lot more to worry about beyond
18having the loopback interface sniffed.
19
03814228 20REQUIREMENTS
21------------
22
23CRAM/DIGEST-MD5
24* SquirrelMail 1.3.3 or higher
639c7164 25* If you have the mhash extension to PHP, it will automatically
26 be used, which may help performance on heavily loaded servers.
27 ** NOTE: mhash is optional and no longer a requirement **
03814228 28
29TLS
30* SquirrelMail 1.3.3 or higher
a8855d9c 31* PHP 4.3.0 or higher (Check Release Notes for PHP 4.3.x information)
03814228 32* The "STARTTLS" command is NOT supported. The server you wish to use TLS
33 on must have a dedicated port listening for TLS connections. (ie. port
34 993 for IMAP, 465 for SMTP)
35
36CONFIGURATION
37-------------
38
39All configuration is done using conf.pl, under main menu option #2.
40
1c6d997a 41conf.pl can now attempt to detect which mechanisms your servers support.
42You must have set the host and port before attempting to detect, or you
43may get inaccurate results, or a long wait while the connection times out.
44
45If you get results that you know are wrong when you use auto-detection, I
46need to know about it. Please send me the results you got, the results you
47expected, and server type, name, and version (eg. "imap, Cyrus, v2.1.9").
48
03814228 49KNOWN ISSUES
50------------
51
52DIGEST-MD5 has three different methods of operation. (qop options "auth",
53"auth-int" and "auth-conf"). This implementation currently supports "auth"
54only. Work is being done to add the other two modes.
55
56DIGEST-MD5 _may_ fail when authenticating with servers that supply more
57than one "realm". I have no servers of this type to test on, so if you do
58and it fails, let me know! (A big help would be for you to telnet to your
59server, start a DIGEST-MD5 auth session, and include the challenge from the
60server in your bug report.)
61
62To get the challenge with IMAP:
63 telnet <your server> imap
64 [server says hello]
65 A01 AUTHENTICATE DIGEST-MD5
66 <copy the gobbledygook that the server sends - this is what I need>
67 *
68 [server says auth aborted]
69 A02 LOGOUT
70 [server says goodbye, closes connection]
71
72To get the challenge with SMTP:
73 telnet <your server> smtp
74 [server sends some sort of "hello" banner]
75 EHLO myhostname
76 [server will probably list a bunch of capabilities]
77 AUTH DIGEST-MD5
78 <copy the gobbledygook that the server sends - this is what I need>
79 *
80 [server says auth aborted]
81 QUIT
82 [server says bye, closes connection]
83
84[End]