Table of Contents
Advertisement
Chapter 2
PLAIN
Authentication method that user name and password are transmitted in plaintext (BASE64 encode) and the packet is encrypted. (RFC2595) By applying with the
later "Encrypted transmission", the authentication is secured.
LOGIN
User name and password are transmitted in plaintext (BASE64 Encode). Actual method of communicating information is same as PLAIN. By applying with the
later "Encrypted transmission", the authentication is secured.
Note:
When SSL is not operated, the authentication of PLAIN and LOGIN is not encrypted, so there is no difference from the authentication of the plaintext USER/
PASS. For this reason, there is no meaning of using POP AUTH. This operation gives misunderstanding that it is encrypted, so operations with POP AUTH are
prohibited.
< POP AUTH reception operations>
Even POP AUTH is set to be used for receiving, if the mail server does not support POP AUTH, the server supporting-authentication method and the device sup-
porting-authentication method are different, the reception with POP AUTH is impossible. In this case, "POP AUTH Encryption Error" is displayed on the status line.
<Authentication protocol example>
Examples of transmission protocol when using POP AUTH are shown below.
With the CAPA response from the client, supporting SASL is informed from the server. At this time, usable authentication algorism is described. If multiple au-
thentication algorisms are possessed, multiple algorism names are described. Client selects one algorism from the authentication algorisms which the server in-
formed and the selected authentication algorism is informed to the server. The server sends the server challenge data, and performs authentication by returning this
data and the encrypted data created from the user name and password as a response. Generally, the authentication algorism can be selected on the server side whether
to be used. If it is not suitable to be used for the security, it can be prohibited by the settings on the server side. (Security policy can be determined by the server.)
Server: +OK POP3 v2001.78 server ready <4a61.3e55cd70@test.canon.co.jp>
Client(iR): CAPA
S: +OK Capability list follows:
S: TOP
S: LOGIN-DELAY 180
S: UIDL
S: STLS
S: USER
S: SASL CRAM-MD5 LOGIN
S: .
C: AUTH CRAM-MD5
S: + PDE5MDQ0LjEwNDU4MTEyMThAYmFiYS5jY20uY2Fub24uY28uanA+
C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
S: +OK Authentication successful....
...
<Selection of the authentication algorism>
When SMTP server possesses multiple authentication mechanisms, the authentication method is determined in the following priority order.
1) CRAM-MD5 (Not supported)
2) NTLM
3) PLAIN when STLS (SSL) operation
4) LOGIN when STLS(SSL) operation
From Service mode, you can prohibit the usage of each authentication method. If you set Service mode setting to "1", you can prohibit the usage of the authentication
method. (All defaults: usable)
Usually, the device is used with the default settings, but if the server administrator prohibits the usage of the specific authentication method, you can change the
setting by Service mode.
< POP AUTH-related Addtional Settings>
Actual POP AUTH-related setting is selected in the order of System Settings > Network Settings > E-mail/I-Fax > Authent./ Encryption > POP AUTH, and then
you want to enter the user name and password necessary for POP address and POP password. When enabling "SSL Allow (POP)" (the setting of encryption com-
munication), the encrypted authentication by STLS command can be used at PLAIN and LOGIN authentication.
2.1.3 Encrypted transmission
Transmission packet encryption (SSL)
When Additional Functions > System Settings > Network Settings > E-Mail/ I-Fax > Authnt. /Encryption > allow SSL(SMTP send) is set to ON, and the mail server
supports the SMTP protocol's STARTTLS command, SSL (TLS) is used for transmission packet encryption. Not only the user name and password are encrypted,
but also all of the mail transmission data. Therefore, the transmission speed is slower.
If 'allow SSL(SMTP Semd)' is set to OFF, or the mail server does not support the SMTP protocol's STARTTLS command, the transmission packet is not encrypted.
<STARTTLS command>
STARTTLS is an SMTP command that tells the server that encrypted transmission (SSL/ TLS) is about to start. The command is standardized in RFC2487. Fol-
lowing is an example of the protocol flow during STARTTLS.
The EHLO response from the client declares that STARTTLS is supported from the server. When the client generates the STARTTLS command, the operation is
reprocessed from the starts and negotiation is initiated and the packet data are encrypted.
S: 220 mail.imc.org SMTP service ready
C: EHLO mail.example.com
S: 250-mail.imc.org offers a warm hug of welcome
S: 250-8BITMIME
S: 250-STARTTLS : <- Shows that the server supports STARTTLS.
S: 250 DSN
C: STARTTLS : <- Declares to server that SSL/TLS are to be performed.
S: 220 Go ahead
-- All subsequent transmission packets will be encrypted.
C: <starts TLS negotiation>
C&S: <negotiate a TLS session>
C&S: <check result of negotiation>
C: EHLO mail.example.com
S: 250-mail.imc.org touches your hand gently for a moment
S: 250-8BITMIME
S: 250 DSN
<User error>
Related new user errors are #841 and #842. For details, refer to the section on Troubleshooting.
2-4
0020-7898
Advertisement
Table of Contents
