net/smtp: deprecate CRAMMD5Auth #61952
Comments
seankhliao
changed the title
seankhliao
changed the title
|
We cannot remove it as that would be a break in backwards compatibility |
mknyszek
added
the
NeedsInvestigation
|
Hello, I have a WIP patch to add SCRAM-SHA-256 support. I tested it against Postfix with SMTP AUTH through Dovecot SASL. The SCRAM algorithm requires So we need the following dependencies:
are they acceptable for |
|
@drakkan: Nice :) It is possible to support SCRAM-SHA-1/SCRAM-SHA-1-PLUS, SCRAM-SHA-256/SCRAM-SHA-256-PLUS, SCRAM-SHA-512/SCRAM-SHA-512-PLUS, SCRAM-SHA3-512/SCRAM-SHA3-512-PLUS? For examples (more at the next link):
All details here: |
I haven't looked at channel binding for the PLUS variants yet. The other variants can be added easily but I'm a little worried about SHA-1, nowadays it's not considered secure anymore. Before completing this work and submitting a CL, I would like to get feedback on the
|
|
@drakkan: Thanks for your reply! For example, SCRAM-SHA-1 and SCRAM-SHA-1-PLUS are used by default since a very long time by XMPP, you can see here:
To have a real compatibility with all products, it is needed to support SCRAM-SHA-*(-PLUS) included SHA-1. Some products which support SCRAM-SHA-*(-PLUS) and SCRAM-SHA3-512(-PLUS): About Channel Bindings -> RFC 9266: Channel Bindings for TLS 1.3: Little details, to know easily:
|
Dear @golang team,
Can you remove old unsecure CRAM-MD5 from the code?
It is unsecure:
Time to add SCRAM-SHA-*(-PLUS) supports.
Latest IMAP RFC speaks about:
Thanks in advance.
The text was updated successfully, but these errors were encountered: