tags:

views:

1506

answers:

5

I need to send email through an (external) SMTP server from Java however this server will only accept CRAM-MD5 authentication, which is not supported by JavaMail.

What would be a good way to get these emails to send? (It must be in Java.)

+1  A: 

This doesn't help you directly, however, IMAP connections in JavaMail do support SASL (and thus CRAM-MD5, see the Java SASL documentation) if you set the mail.imap.sasl.enable boolean property to true.

Unfortunately, there is no mail.smtp.sasl.enable property, and SASL cannot be enabled for SMTP in JavaMail. :-(

However, you can download the JavaMail source code, and you can try to edit the SMTP code to support SASL in a similar manner to the IMAP code. Good luck!

Chris Jester-Young
+2  A: 

This probably won't help you but CRAM-MD5 and CRAM-SHA1 are fairly easy to implement assuming you have the correct library (md5/sha1) and, idealy, a base64 encoding library (though the base64 stuff is fairly easy to implement yourself in a pinch).

The transaction looks like this:

C: AUTH CRAM-MD5
S: 334 BASE64(NONCE)
C: BASE64(USERNAME, " ", MD5((SECRET XOR opad),MD5((SECRET XOR ipad), NONCE)))
S: 235 Authentication succeeded

Where NONCE is the once time challenge string, USERNAME is the username you are tryng to authenticate, SECRET is the shared secret ("password"), opad is 0x5C, and ipad is 0x36.

(CRAM-SHA1 would be the same transaction, but using SHA1() instead of MD5() to do the digesting)

So, here's an example of a real CRAM-MD5 transaction

C: AUTH CRAM-MD5
S: 334 PDQ1MDMuMTIyMzU1Nzg2MkBtYWlsMDEuZXhhbXBsZS5jb20+
C: dXNlckBleGFtcGxlLmNvbSA4YjdjODA5YzQ0NTNjZTVhYTA5N2VhNWM4OTlmNGY4Nw==
S: 235 Authentication succeeded

Backing up the process a step you get:

S: 334 BASE64("<[email protected]>")
C: BASE64("[email protected] 8b7c809c4453ce5aa097ea5c899f4f87")

Backing up one step further to before the digest is calculated, you get:

S: 334 BASE64("<[email protected]>")
C: BASE64("[email protected] ", MD5(("password" XOR opad),MD5(("password" XOR ipad), "<[email protected]>")))

I guess that's kind of confusing now that I write it out, but trust me, compared to trying to do NTLM/SPA by hand, it's a breeze. If you're motivated, it's actually pretty easy to implement. Or maybe I've just spent way to long with my hands in the guts of mail clients and servers to think about it clearly anymore...

jj33
You don't want to do that. Java has SASL support built in, and it's much, much better to use Java's built-in implementation than to hand-code one. The trick is to make JavaMail support SASL for SMTP, not CRAM-MD5 as such.
Chris Jester-Young
"This probably won't help you..." This question just made me remember all my own work struggling with AUTH protocols (which I implemented from hand because I was building a tool to verify third party tools). I agree that it's generally a bad idea to reimplement if alternative is available.
jj33
*nods* Fair enough, yes, I can imagine how much of a pain it would be to implement these by hand. Mwahahaha about SPA/NTLM, that's one I've had to battle with too (thanks to people using clients that only do SPA and not CRAM-*).
Chris Jester-Young
+1  A: 

Very Simple CRAMMD5 program in JAVA


import java.security.*;

class CRAMMD5Test
{
public static void main(String[] args) throws Exception
{
 // This represents the BASE64 encoded timestamp sent by the POP server
 String dataString = Base64Decoder.decode("PDAwMDAuMDAwMDAwMDAwMEBteDEuc2VydmVyLmNvbT4=");
 byte[] data = dataString.getBytes();

 // The password to access the account
 byte[] key  = new String("password").getBytes();

 // The address of the e-mail account
 String user = "[email protected]";

    MessageDigest md5 = MessageDigest.getInstance("MD5");
     md5.reset();

 if (key.length > 64)
  key = md5.digest(key);

 byte[] k_ipad = new byte[64];
 byte[] k_opad = new byte[64];

 System.arraycopy(key, 0, k_ipad, 0, key.length);
 System.arraycopy(key, 0, k_opad, 0, key.length);

 for (int i=0; i<64; i++)
 {
  k_ipad[i] ^= 0x36;
  k_opad[i] ^= 0x5c;
 }

 byte[] i_temp = new byte[k_ipad.length + data.length];

 System.arraycopy(k_ipad, 0, i_temp, 0, k_ipad.length);
 System.arraycopy(data, 0, i_temp, k_ipad.length, data.length);

 i_temp = md5.digest(i_temp);

 byte[] o_temp = new byte[k_opad.length + i_temp.length];

 System.arraycopy(k_opad, 0, o_temp, 0, k_opad.length);
 System.arraycopy(i_temp, 0, o_temp, k_opad.length, i_temp.length);

        byte[] result = md5.digest(o_temp);
        StringBuffer hexString = new StringBuffer();

        for (int i=0;i < result.length; i++) {
                hexString.append(Integer.toHexString((result[i] >>> 4) & 0x0F));
                hexString.append(Integer.toHexString(0x0F & result[i]));
             }


        System.out.println(Base64Encoder.encode(user + " " + hexString.toString()));
    }
}
A: 

I tried the code on the example of a real CRAM-MD5 transaction, and also on the example given into the RFC 2195.

It does not work because the conversion to an hexadecimal string is not correct. For exmaple, with this code, you will obtain "b913a62c7eda7a495b4e6e7334d3890" instead of "b913a602c7eda7a495b4e6e7334d3890" and the sent authentication string will not be correct.

If you download the source code of javaMail, you will see the implementation of the function toHex into the unit "DigestMD5". Using this conversion, it will work.

A: 

Change:

for (int i=0; i<result.length; i++)
  hexString.append(Integer.toHexString(0xFF & result[i]));

To:

for (int i=0;i < result.length; i++) {
  hexString.append(Integer.toHexString((result[i] >>> 4) & 0x0F));
  hexString.append(Integer.toHexString(0x0F & result[i]));
}