serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
mox/imapserver/authenticate_test.go

213 lines
7.1 KiB
Go
Raw Normal View History

mox!
2023-01-30 16:27:06 +03:00
package imapserver
import (
support cram-md5 authentication for imap and smtp and change thunderbird autoconfiguration to use it. unfortunately, for microsoft autodiscover, there appears to be no way to request secure password negotiation. so it will default to plain text auth. cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support scram auth. it currently chooses "plain", sending the literal password over the connection (which is TLS-protected, but we don't want to receive clear text passwords). in short, cram-md5 is better than nothing... for cram-md5 to work, a new set of derived credentials need to be stored in the database. so you need to save your password again to make it work. this was also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 18:29:03 +03:00
"crypto/hmac"
"crypto/md5"
add support for SCRAM-SHA-1 the idea is that clients may not support SCRAM-SHA-256, but may support SCRAM-SHA-1. if they do support the 256 variant, they'll use it. unfortunately, thunderbird does not support scram-sha-1 either.
2023-02-05 14:30:14 +03:00
"crypto/sha1"
"crypto/sha256"
mox!
2023-01-30 16:27:06 +03:00
"encoding/base64"
"errors"
support cram-md5 authentication for imap and smtp and change thunderbird autoconfiguration to use it. unfortunately, for microsoft autodiscover, there appears to be no way to request secure password negotiation. so it will default to plain text auth. cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support scram auth. it currently chooses "plain", sending the literal password over the connection (which is TLS-protected, but we don't want to receive clear text passwords). in short, cram-md5 is better than nothing... for cram-md5 to work, a new set of derived credentials need to be stored in the database. so you need to save your password again to make it work. this was also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 18:29:03 +03:00
"fmt"
add support for SCRAM-SHA-1 the idea is that clients may not support SCRAM-SHA-256, but may support SCRAM-SHA-1. if they do support the 256 variant, they'll use it. unfortunately, thunderbird does not support scram-sha-1 either.
2023-02-05 14:30:14 +03:00
"hash"
mox!
2023-01-30 16:27:06 +03:00
"strings"
"testing"
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
"golang.org/x/text/secure/precis"
mox!
2023-01-30 16:27:06 +03:00
"github.com/mjl-/mox/scram"
)
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
func TestAuthenticateLogin(t *testing.T) {
// NFD username and PRECIS-cleaned password.
tc := start(t)
tc.client.Login("mo\u0301x@mox.example", password1)
tc.close()
}
mox!
2023-01-30 16:27:06 +03:00
func TestAuthenticatePlain(t *testing.T) {
tc := start(t)
tc.transactf("no", "authenticate bogus ")
tc.transactf("bad", "authenticate plain not base64...")
tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000baduser\u0000badpass")))
tc.xcode("AUTHENTICATIONFAILED")
tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000badpass")))
tc.xcode("AUTHENTICATIONFAILED")
tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl\u0000badpass"))) // Need email, not account.
tc.xcode("AUTHENTICATIONFAILED")
tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000test")))
tc.xcode("AUTHENTICATIONFAILED")
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000test"+password0)))
mox!
2023-01-30 16:27:06 +03:00
tc.xcode("AUTHENTICATIONFAILED")
tc.transactf("bad", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000")))
tc.xcode("")
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("other\u0000mjl@mox.example\u0000"+password0)))
mox!
2023-01-30 16:27:06 +03:00
tc.xcode("AUTHORIZATIONFAILED")
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000"+password0)))
tc.close()
tc = start(t)
tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("mjl@mox.example\u0000mjl@mox.example\u0000"+password0)))
mox!
2023-01-30 16:27:06 +03:00
tc.close()
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
// NFD username and PRECIS-cleaned password.
mox!
2023-01-30 16:27:06 +03:00
tc = start(t)
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("mo\u0301x@mox.example\u0000mo\u0301x@mox.example\u0000"+password1)))
mox!
2023-01-30 16:27:06 +03:00
tc.close()
tc = start(t)
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
tc.client.AuthenticatePlain("mjl@mox.example", password0)
mox!
2023-01-30 16:27:06 +03:00
tc.close()
tc = start(t)
defer tc.close()
tc.cmdf("", "authenticate plain")
tc.readprefixline("+ ")
tc.writelinef("*") // Aborts.
tc.readstatus("bad")
tc.cmdf("", "authenticate plain")
imap continuations must have a space after the "+" prevented at least the gmail/mail (?) android app from appending a sent message to the sent mailbox.
2023-07-24 20:54:55 +03:00
tc.readprefixline("+ ")
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000"+password0)))
mox!
2023-01-30 16:27:06 +03:00
tc.readstatus("ok")
}
add support for SCRAM-SHA-1 the idea is that clients may not support SCRAM-SHA-256, but may support SCRAM-SHA-1. if they do support the 256 variant, they'll use it. unfortunately, thunderbird does not support scram-sha-1 either.
2023-02-05 14:30:14 +03:00
func TestAuthenticateSCRAMSHA1(t *testing.T) {
implement the plus variants of scram, to bind the authentication exchange to the tls connection to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
2023-12-24 01:07:21 +03:00
testAuthenticateSCRAM(t, false, "SCRAM-SHA-1", sha1.New)
add support for SCRAM-SHA-1 the idea is that clients may not support SCRAM-SHA-256, but may support SCRAM-SHA-1. if they do support the 256 variant, they'll use it. unfortunately, thunderbird does not support scram-sha-1 either.
2023-02-05 14:30:14 +03:00
}
mox!
2023-01-30 16:27:06 +03:00
func TestAuthenticateSCRAMSHA256(t *testing.T) {
implement the plus variants of scram, to bind the authentication exchange to the tls connection to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
2023-12-24 01:07:21 +03:00
testAuthenticateSCRAM(t, false, "SCRAM-SHA-256", sha256.New)
add support for SCRAM-SHA-1 the idea is that clients may not support SCRAM-SHA-256, but may support SCRAM-SHA-1. if they do support the 256 variant, they'll use it. unfortunately, thunderbird does not support scram-sha-1 either.
2023-02-05 14:30:14 +03:00
}
implement the plus variants of scram, to bind the authentication exchange to the tls connection to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
2023-12-24 01:07:21 +03:00
func TestAuthenticateSCRAMSHA1PLUS(t *testing.T) {
testAuthenticateSCRAM(t, true, "SCRAM-SHA-1-PLUS", sha1.New)
}
func TestAuthenticateSCRAMSHA256PLUS(t *testing.T) {
testAuthenticateSCRAM(t, true, "SCRAM-SHA-256-PLUS", sha256.New)
}
func testAuthenticateSCRAM(t *testing.T, tls bool, method string, h func() hash.Hash) {
tc := startArgs(t, true, tls, true, true, "mjl")
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
tc.client.AuthenticateSCRAM(method, h, "mjl@mox.example", password0)
mox!
2023-01-30 16:27:06 +03:00
tc.close()
auth := func(status string, serverFinalError error, username, password string) {
t.Helper()
implement the plus variants of scram, to bind the authentication exchange to the tls connection to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
2023-12-24 01:07:21 +03:00
noServerPlus := false
sc := scram.NewClient(h, username, "", noServerPlus, tc.client.TLSConnectionState())
mox!
2023-01-30 16:27:06 +03:00
clientFirst, err := sc.ClientFirst()
tc.check(err, "scram clientFirst")
tc.client.LastTag = "x001"
add support for SCRAM-SHA-1 the idea is that clients may not support SCRAM-SHA-256, but may support SCRAM-SHA-1. if they do support the 256 variant, they'll use it. unfortunately, thunderbird does not support scram-sha-1 either.
2023-02-05 14:30:14 +03:00
tc.writelinef("%s authenticate %s %s", tc.client.LastTag, method, base64.StdEncoding.EncodeToString([]byte(clientFirst)))
mox!
2023-01-30 16:27:06 +03:00
xreadContinuation := func() []byte {
line, _, result, rerr := tc.client.ReadContinuation()
tc.check(rerr, "read continuation")
if result.Status != "" {
tc.t.Fatalf("expected continuation")
}
buf, err := base64.StdEncoding.DecodeString(line)
tc.check(err, "parsing base64 from remote")
return buf
}
serverFirst := xreadContinuation()
clientFinal, err := sc.ServerFirst(serverFirst, password)
tc.check(err, "scram clientFinal")
tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte(clientFinal)))
serverFinal := xreadContinuation()
err = sc.ServerFinal(serverFinal)
if serverFinalError == nil {
tc.check(err, "scram serverFinal")
} else if err == nil || !errors.Is(err, serverFinalError) {
t.Fatalf("server final, got err %#v, expected %#v", err, serverFinalError)
}
add scram-sha-256 for smtp similar to imap. the code should be merged. this also reads the abort-line after authentication failure.
2023-01-31 02:22:26 +03:00
if serverFinalError != nil {
tc.writelinef("*")
} else {
tc.writelinef("")
}
mox!
2023-01-30 16:27:06 +03:00
_, result, err := tc.client.Response()
tc.check(err, "read response")
if string(result.Status) != strings.ToUpper(status) {
tc.t.Fatalf("got status %q, expected %q", result.Status, strings.ToUpper(status))
}
}
implement the plus variants of scram, to bind the authentication exchange to the tls connection to get the security benefits (detecting mitm attempts), explicitly configure clients to use a scram plus variant, e.g. scram-sha-256-plus. unfortunately, not many clients support it yet. imapserver scram plus support seems to work with the latest imtest (imap test client) from cyrus-sasl. no success yet with mutt (with gsasl) though.
2023-12-24 01:07:21 +03:00
tc = startArgs(t, true, tls, true, true, "mjl")
mox!
2023-01-30 16:27:06 +03:00
auth("no", scram.ErrInvalidProof, "mjl@mox.example", "badpass")
auth("no", scram.ErrInvalidProof, "mjl@mox.example", "")
// todo: server aborts due to invalid username. we should probably make client continue with fake determinisitically generated salt and result in error in the end.
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
// auth("no", nil, "other@mox.example", password0)
mox!
2023-01-30 16:27:06 +03:00
tc.transactf("no", "authenticate bogus ")
add support for SCRAM-SHA-1 the idea is that clients may not support SCRAM-SHA-256, but may support SCRAM-SHA-1. if they do support the 256 variant, they'll use it. unfortunately, thunderbird does not support scram-sha-1 either.
2023-02-05 14:30:14 +03:00
tc.transactf("bad", "authenticate %s not base64...", method)
tc.transactf("bad", "authenticate %s %s", method, base64.StdEncoding.EncodeToString([]byte("bad data")))
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
// NFD username, with PRECIS-cleaned password.
auth("ok", nil, "mo\u0301x@mox.example", password1)
mox!
2023-01-30 16:27:06 +03:00
tc.close()
}
support cram-md5 authentication for imap and smtp and change thunderbird autoconfiguration to use it. unfortunately, for microsoft autodiscover, there appears to be no way to request secure password negotiation. so it will default to plain text auth. cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support scram auth. it currently chooses "plain", sending the literal password over the connection (which is TLS-protected, but we don't want to receive clear text passwords). in short, cram-md5 is better than nothing... for cram-md5 to work, a new set of derived credentials need to be stored in the database. so you need to save your password again to make it work. this was also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 18:29:03 +03:00
func TestAuthenticateCRAMMD5(t *testing.T) {
tc := start(t)
tc.transactf("no", "authenticate bogus ")
tc.transactf("bad", "authenticate CRAM-MD5 not base64...")
tc.transactf("bad", "authenticate CRAM-MD5 %s", base64.StdEncoding.EncodeToString([]byte("baddata")))
tc.transactf("bad", "authenticate CRAM-MD5 %s", base64.StdEncoding.EncodeToString([]byte("bad data")))
auth := func(status string, username, password string) {
t.Helper()
tc.client.LastTag = "x001"
tc.writelinef("%s authenticate CRAM-MD5", tc.client.LastTag)
xreadContinuation := func() []byte {
line, _, result, rerr := tc.client.ReadContinuation()
tc.check(rerr, "read continuation")
if result.Status != "" {
tc.t.Fatalf("expected continuation")
}
buf, err := base64.StdEncoding.DecodeString(line)
tc.check(err, "parsing base64 from remote")
return buf
}
chal := xreadContinuation()
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
pw, err := precis.OpaqueString.String(password)
if err == nil {
password = pw
}
support cram-md5 authentication for imap and smtp and change thunderbird autoconfiguration to use it. unfortunately, for microsoft autodiscover, there appears to be no way to request secure password negotiation. so it will default to plain text auth. cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support scram auth. it currently chooses "plain", sending the literal password over the connection (which is TLS-protected, but we don't want to receive clear text passwords). in short, cram-md5 is better than nothing... for cram-md5 to work, a new set of derived credentials need to be stored in the database. so you need to save your password again to make it work. this was also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 18:29:03 +03:00
h := hmac.New(md5.New, []byte(password))
h.Write([]byte(chal))
resp := fmt.Sprintf("%s %x", username, h.Sum(nil))
tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte(resp)))
_, result, err := tc.client.Response()
tc.check(err, "read response")
if string(result.Status) != strings.ToUpper(status) {
tc.t.Fatalf("got status %q, expected %q", result.Status, strings.ToUpper(status))
}
}
auth("no", "mjl@mox.example", "badpass")
auth("no", "mjl@mox.example", "")
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
auth("no", "other@mox.example", password0)
support cram-md5 authentication for imap and smtp and change thunderbird autoconfiguration to use it. unfortunately, for microsoft autodiscover, there appears to be no way to request secure password negotiation. so it will default to plain text auth. cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support scram auth. it currently chooses "plain", sending the literal password over the connection (which is TLS-protected, but we don't want to receive clear text passwords). in short, cram-md5 is better than nothing... for cram-md5 to work, a new set of derived credentials need to be stored in the database. so you need to save your password again to make it work. this was also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 18:29:03 +03:00
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
auth("ok", "mjl@mox.example", password0)
support cram-md5 authentication for imap and smtp and change thunderbird autoconfiguration to use it. unfortunately, for microsoft autodiscover, there appears to be no way to request secure password negotiation. so it will default to plain text auth. cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support scram auth. it currently chooses "plain", sending the literal password over the connection (which is TLS-protected, but we don't want to receive clear text passwords). in short, cram-md5 is better than nothing... for cram-md5 to work, a new set of derived credentials need to be stored in the database. so you need to save your password again to make it work. this was also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 18:29:03 +03:00
tc.close()
prevent unicode-confusion in password by applying PRECIS, and username/email address by applying unicode NFC normalization an é (e with accent) can also be written as e+\u0301. the first form is NFC, the second NFD. when logging in, we transform usernames (email addresses) to NFC. so both forms will be accepted. if a client is using NFD, they can log in too. for passwords, we apply the PRECIS "opaquestring", which (despite the name) transforms the value too: unicode spaces are replaced with ascii spaces. the string is also normalized to NFC. PRECIS may reject confusing passwords when you set a password.
2024-03-09 01:29:15 +03:00
// NFD username, with PRECIS-cleaned password.
tc = start(t)
auth("ok", "mo\u0301x@mox.example", password1)
tc.close()
support cram-md5 authentication for imap and smtp and change thunderbird autoconfiguration to use it. unfortunately, for microsoft autodiscover, there appears to be no way to request secure password negotiation. so it will default to plain text auth. cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support scram auth. it currently chooses "plain", sending the literal password over the connection (which is TLS-protected, but we don't want to receive clear text passwords). in short, cram-md5 is better than nothing... for cram-md5 to work, a new set of derived credentials need to be stored in the database. so you need to save your password again to make it work. this was also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 18:29:03 +03:00
}
Reference in a new issue Copy permalink