[squirrelmail.git] / doc / authentication.txt

**********************************************
IMAP AND SMTP AUTHENTICATION WITH SQUIRRELMAIL
Preliminary documentation - 6 Dec 2002
Chris Hilts chilts@birdbrained.org
**********************************************

Prior to SquirrelMail 1.3.3, only plaintext logins for IMAP and SMTP were
supported.  With the release of SquirrelMail 1.3.3, support for the
CRAM-MD5 and DIGEST-MD5 auth mechanisms has been added.  TLS support has
also been added.  It is possible to use different methods for both IMAP and
SMTP. TLS is able to be enabled on a per-service basis as well.
Unless the administrator changes the authentication methods, SquirrelMail
will default to the "classic" plaintext methods, without TLS.

REQUIREMENTS
------------

CRAM/DIGEST-MD5
* SquirrelMail 1.3.3 or higher
* If you have the mhash extension to PHP, it will automatically
  be used, which may help performance on heavily loaded servers.
  ** NOTE: mhash is optional and no longer a requirement **

TLS
* SquirrelMail 1.3.3 or higher
* PHP 4.3.0 or higher
* The "STARTTLS" command is NOT supported.  The server you wish to use TLS
  on must have a dedicated port listening for TLS connections. (ie. port
  993 for IMAP, 465 for SMTP) 

CONFIGURATION
-------------

All configuration is done using conf.pl, under main menu option #2.

KNOWN ISSUES
------------

DIGEST-MD5 has three different methods of operation. (qop options "auth",
"auth-int" and "auth-conf").  This implementation currently supports "auth"
only.  Work is being done to add the other two modes.

DIGEST-MD5 _may_ fail when authenticating with servers that supply more
than one "realm".  I have no servers of this type to test on, so if you do
and it fails, let me know!  (A big help would be for you to telnet to your
server, start a DIGEST-MD5 auth session, and include the challenge from the
server in your bug report.)

To get the challenge with IMAP:
	telnet <your server> imap
	[server says hello]
	A01 AUTHENTICATE DIGEST-MD5
	<copy the gobbledygook that the server sends - this is what I need>
	*
	[server says auth aborted]
	A02 LOGOUT
	[server says goodbye, closes connection]

To get the challenge with SMTP:
	telnet <your server> smtp
	[server sends some sort of "hello" banner]
	EHLO myhostname
	[server will probably list a bunch of capabilities]
	AUTH DIGEST-MD5
	<copy the gobbledygook that the server sends - this is what I need>
	*
	[server says auth aborted]
	QUIT
	[server says bye, closes connection]

[End]
Commit	Line	Data
03814228	1	**********************************************
03814228	2	IMAP AND SMTP AUTHENTICATION WITH SQUIRRELMAIL
639c7164	3	Preliminary documentation - 6 Dec 2002
03814228	4	Chris Hilts chilts@birdbrained.org
	5	**********************************************
	6
	7	Prior to SquirrelMail 1.3.3, only plaintext logins for IMAP and SMTP were
	8	supported. With the release of SquirrelMail 1.3.3, support for the
	9	CRAM-MD5 and DIGEST-MD5 auth mechanisms has been added. TLS support has
	10	also been added. It is possible to use different methods for both IMAP and
	11	SMTP. TLS is able to be enabled on a per-service basis as well.
	12	Unless the administrator changes the authentication methods, SquirrelMail
	13	will default to the "classic" plaintext methods, without TLS.
	14
	15	REQUIREMENTS
	16	------------
	17
	18	CRAM/DIGEST-MD5
	19	* SquirrelMail 1.3.3 or higher
639c7164	20	* If you have the mhash extension to PHP, it will automatically
	21	be used, which may help performance on heavily loaded servers.
	22	NOTE: mhash is optional and no longer a requirement
03814228	23
	24	TLS
	25	* SquirrelMail 1.3.3 or higher
	26	* PHP 4.3.0 or higher
	27	* The "STARTTLS" command is NOT supported. The server you wish to use TLS
	28	on must have a dedicated port listening for TLS connections. (ie. port
	29	993 for IMAP, 465 for SMTP)
	30
	31	CONFIGURATION
	32	-------------
	33
	34	All configuration is done using conf.pl, under main menu option #2.
	35
	36	KNOWN ISSUES
	37	------------
	38
	39	DIGEST-MD5 has three different methods of operation. (qop options "auth",
	40	"auth-int" and "auth-conf"). This implementation currently supports "auth"
	41	only. Work is being done to add the other two modes.
	42
	43	DIGEST-MD5 _may_ fail when authenticating with servers that supply more
	44	than one "realm". I have no servers of this type to test on, so if you do
	45	and it fails, let me know! (A big help would be for you to telnet to your
	46	server, start a DIGEST-MD5 auth session, and include the challenge from the
	47	server in your bug report.)
	48
	49	To get the challenge with IMAP:
	50	telnet <your server> imap
	51	[server says hello]
	52	A01 AUTHENTICATE DIGEST-MD5
	53	<copy the gobbledygook that the server sends - this is what I need>
	54	*
	55	[server says auth aborted]
	56	A02 LOGOUT
	57	[server says goodbye, closes connection]
	58
	59	To get the challenge with SMTP:
	60	telnet <your server> smtp
	61	[server sends some sort of "hello" banner]
	62	EHLO myhostname
	63	[server will probably list a bunch of capabilities]
	64	AUTH DIGEST-MD5
	65	<copy the gobbledygook that the server sends - this is what I need>
	66	*
	67	[server says auth aborted]
	68	QUIT
	69	[server says bye, closes connection]
	70
	71	[End]