0

In Indy there are various authentication mechanisms SMTP can use. I have 3-part question:

a) Can I use satSASL all the time instead of satDefault or is there a case where satDefault is better?

b) And what is the best order of SASL mechanisms from most secure to least secure. My order so far is:

  • IdSASL_CRAMSHA1
  • IdSASL_CRAMMD5
  • IdSASL_Digest
  • IdSASL_Login
  • IdSASL_Plain
  • IdSASL_OTP
  • IdSASL_SKey
  • IdSASL_External
  • IdSASL_Anonymous

c) I plan to use the above list for POP3, SMTP, NNTP and IMAP. Have I missed a SASL mechanism in it and is there a case where the above order may not be good for the 4 mentioned protocols.

Thank you in advance.

Coder12345
  • 3,431
  • 3
  • 33
  • 73

1 Answers1

3

satDefault uses the AUTH LOGIN command, which is the same command that TIdSASLLogin uses. So yes, you can (and should) use satSASL all the time, especially since most (not all) servers do not support AUTH LOGIN anymore and/or support more secure SASLs.

You are missing TIdSASL_NTLM. Not surprising, since that component is not registered by default as it has not been finalized yet, but it has been around for a while.

As for the order, the CRAMs should definitely be at the top of the list, but Login and Plain should be moved to the very bottom. As for the rest, have a look at this old newsgroup post for suggestions.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Thanks for the reply. Is it a bug or a feature that last added feature is tried first? e.g. in above case Anonymous would be tried first if it was added last (in source, the for loop goes down to). – Coder12345 Dec 26 '13 at 20:02
  • 1
    It might be a bug, I will have to review it. – Remy Lebeau Dec 27 '13 at 20:01