SASL support in Archiveopteryx

The Simple Authentication and Security Layer (SASL) provides a common framework for authentication in protocols like IMAP and SMTP. RFC 4422 defines the basic framework, and separate RFCs define authentication mechanisms within this framework.

Archiveopteryx implements the following SASL authentication mechanisms:

PLAIN (RFC 2595) is like the classic login method: The client sends login and password as cleartext, and the server checks them.

ANONYMOUS (RFC 2245) provides anonymous logins, if desirable. This is disabled by default.

CRAM-MD5 (RFC 2195) is a widely supported challenge/response method.

DIGEST-MD5 (RFC 2831) is another challenge/response method, similar to CRAM-MD5 but better in some ways. Regrettably it has serious problems and we're phasing out support for it.

LOGIN is broadly similar to PLAIN, except that it's slower and not standard.

Support for individual mechanisms can be configured in archiveopteryx.conf using the variables auth-plain, auth-anonymous, auth-cram-md5, auth-digest-md5 and auth-login.

Archiveopteryx also supports disabling plaintext passwords and disabling plaintext email access; if you use either of these features, PLAIN+TLS is accepted but plain old PLAIN is not.

In case of questions, please write to info@aox.org.

Relevant links

About this page

Last modified: 2011-04-06
Location: aox.org/sasl/