SCRAM

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SCRAM

- Neustradamus -
Hello Postfix team,

Can you add support?

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

Can you add support for?
- SCRAM-SHA-1(-PLUS):
-- https://tools.ietf.org/html/rfc5802
-- https://tools.ietf.org/html/rfc6120

- SCRAM-SHA-256(-PLUS):
-- https://tools.ietf.org/html/rfc7677 since 2015-11-02
-- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

I add SCRAM-SHA-512(-PLUS): https://xmpp.org/extensions/inbox/hash-recommendations.html

RFC6331: Moving DIGEST-MD5 to Historic: https://tools.ietf.org/html/rfc6331

Linked to:
- https://github.com/scram-xmpp/info/issues/1

Thanks in advance.

Regards,

Neustradamus
Reply | Threaded
Open this post in threaded view
|

Re: SCRAM

Viktor Dukhovni


> On Sep 7, 2019, at 12:11 PM, - Neustradamus - <[hidden email]> wrote:
>
> "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

Postfix does not implement any SASL mechanisms, SASL support
is provided by the SASL library (Cyrus SASL or Dovecot SASL).

If you want changes in mechanism selection, post to the relevant
SASL library forum.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: SCRAM

- Neustradamus -
Viktor, thanks for your reply!

Perfect, it is in Cyrus SASL :)


Can you announce the support, update docs?

Normally, it is in progress for Dovecot.

Thanks in advance.

Regards,

Neustradamus


De : [hidden email] <[hidden email]> de la part de Viktor Dukhovni <[hidden email]>
Envoyé : samedi 7 septembre 2019 18:20
À : Postfix users <[hidden email]>
Objet : Re: SCRAM
 


> On Sep 7, 2019, at 12:11 PM, - Neustradamus - <[hidden email]> wrote:
>
> "When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

Postfix does not implement any SASL mechanisms, SASL support
is provided by the SASL library (Cyrus SASL or Dovecot SASL).

If you want changes in mechanism selection, post to the relevant
SASL library forum.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: SCRAM

Viktor Dukhovni
> On Sep 7, 2019, at 3:13 PM, - Neustradamus - <[hidden email]> wrote:
>
> Perfect, it is in Cyrus SASL :)
>
>   https://github.com/cyrusimap/cyrus-sasl/commits/master
>
> Can you announce the support, update docs?

There's nothing to announce, and no documentation to update.

Postfix supports the SASL mechanisms provided by the SASL
library.  We don't document the mechanism list, that's up
to the SASL library, and don't announce changes to the list
for the same reason.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: SCRAM

- Neustradamus -

-> Promotion of old SASL.

And there is:

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:
- https://tools.ietf.org/html/rfc6331



De : [hidden email] <[hidden email]> de la part de Viktor Dukhovni <[hidden email]>
Envoyé : samedi 7 septembre 2019 21:43
À : Postfix users <[hidden email]>
Objet : Re: SCRAM
 
> On Sep 7, 2019, at 3:13 PM, - Neustradamus - <[hidden email]> wrote:
>
> Perfect, it is in Cyrus SASL :)
>
>   https://github.com/cyrusimap/cyrus-sasl/commits/master
>
> Can you announce the support, update docs?

There's nothing to announce, and no documentation to update.

Postfix supports the SASL mechanisms provided by the SASL
library.  We don't document the mechanism list, that's up
to the SASL library, and don't announce changes to the list
for the same reason.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: SCRAM

Viktor Dukhovni
On Sat, Sep 07, 2019 at 07:59:34PM +0000, - Neustradamus - wrote:

> It is old: http://www.postfix.org/SASL_README.html
>
> -> Promotion of old SASL.
>
> And there is:
>
> July 2011: RFC6331: Moving DIGEST-MD5 to Historic:
> - https://tools.ietf.org/html/rfc6331

If there is specific documentation text you'd like to change, patches
are welcome.  Unless there's something Postfix-specific about using
a particular SASL mechanism, the Postfix SASL documentation should
strive to be mechanism-agnostic.

So, for example, the text:

        These three plugins support shared-secret mechanisms i.e.
        CRAM-MD5, DIGEST-MD5 and NTLM.

could be changed to read:

        These three plugins support shared-secret mechanisms (e.g.,
        CRAM-MD5, DIGEST-MD5, ...).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

RE: SCRAM

- Neustradamus -
For a better security, look the RFC6331: Moving DIGEST-MD5 to Historic: https://tools.ietf.org/html/rfc6331.

It is about DIGEST-MD5 (and CRAM-MD5 in the same time).

You must to inform that SCRAM-SHA-XXX(-PLUS) is here!

Regards,

Neustradamus


De : [hidden email] <[hidden email]> de la part de Viktor Dukhovni <[hidden email]>
Envoyé : samedi 7 septembre 2019 22:08
À : [hidden email] <[hidden email]>
Objet : Re: SCRAM
 
On Sat, Sep 07, 2019 at 07:59:34PM +0000, - Neustradamus - wrote:

> It is old: http://www.postfix.org/SASL_README.html
>
> -> Promotion of old SASL.
>
> And there is:
>
> July 2011: RFC6331: Moving DIGEST-MD5 to Historic:
> - https://tools.ietf.org/html/rfc6331

If there is specific documentation text you'd like to change, patches
are welcome.  Unless there's something Postfix-specific about using
a particular SASL mechanism, the Postfix SASL documentation should
strive to be mechanism-agnostic.

So, for example, the text:

        These three plugins support shared-secret mechanisms i.e.
        CRAM-MD5, DIGEST-MD5 and NTLM.

could be changed to read:

        These three plugins support shared-secret mechanisms (e.g.,
        CRAM-MD5, DIGEST-MD5, ...).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: SCRAM

Matthias Andree
Am 08.09.19 um 07:29 schrieb - Neustradamus -:
For a better security, look the RFC6331: Moving DIGEST-MD5 to Historic: https://tools.ietf.org/html/rfc6331.

It is about DIGEST-MD5 (and CRAM-MD5 in the same time).

You must to inform that SCRAM-SHA-XXX(-PLUS) is here!

Regards,

Neustradamus


Dear Neustradamus,


you've made your point, now please leave the lobby.


Postfix isn't supposed to pamper up the world for what certain combinations of circumstance could do wrong.


Your pulling out detail decisions leaves the entire system setup out of the picture, and quite a few of those digest algorithms will require to store UNSALTED UNENCRYPTED passwords server-side vs. cleartext over trusted TLS channels can get away with salted PW hashes that are far harder to break in case of a server-side security breach.


You have repeatedly been explained that Postfix pulls in SASL providers by reference, so their lobby is where you should linger.


Now please get back to Postfix-related topics that don't assume you can run MTAs without mapping the field first, or stop mailing to the list.


Regards
Matthias

Reply | Threaded
Open this post in threaded view
|

THREAD CLOSED (was: Re: SCRAM)

Viktor Dukhovni
On Sun, Sep 08, 2019 at 12:25:27PM +0200, Matthias Andree wrote:

> You've made your point, now please leave the lobby.

My take was that just ignoring the redundant repetition would
probably suffice.  Your forceful pushback was perhaps premature,
but so be it.

In any case, THREAD CLOSED.  Let's move on.

--
        Viktor.