The Simple Authentication and Security Layer (SASL), is a generic
mechanism that enables application protocols, such as SMTP and IMAP, to accomplish authentication. Sendmail 8.13.3 uses
Cyrus SASL, a product implementation of the SASL protocol, to accomplish
authentication.
Applications such as Sendmail use the SASL framework to accomplish
the SASL protocol exchange. The specific SASL mechanisms govern the
exact protocol exchange. If a framework contains n protocols and m different ways of authentication,
SASL attempts to make the framework simple so that you need to write
only n plus m different specifications,
instead of n times m different
specifications. With the Cyrus SASL library, you need to write the
authentication mechanisms only once, because they work with all the
servers that use the authentication mechanisms.
The way SASL works is governed by the mechanism that the client
and server select to use and the exact implementation of that mechanism.
A client application interacts with the SASL library (also known
as the SASL glue layer) as follows:
A client application makes a few calls to initialize
the SASL library.
Each time the client application makes a new connection,
it creates a new context that is stored for the lifetime of that connection.
The client application requests the server for the
list of supported mechanisms.
The client application feeds this list to the SASL
library.
The client application starts the authentication with
the mechanism selected by the SASL library.
The server returns some bytes, which are provided
to the SASL library.
The SASL library returns some bytes to the client
application.
The client application transmits these bytes over
the network.
The client application repeats steps 7 – 9 until
the server informs the application that the authentication is successful.
An application in the server interacts with the SASL library
as follows:
A server makes a few calls to initialize the SASL
library.
When the server establishes a new connection, the
server makes a new context for that connection immediately.
The client requests a list of mechanisms the server
supports and specifies the mechanism it wants to use. The client also
requests to start the authentication process after finalizing on the
authentication mechanism.
The server negotiates this authentication and retains
the authentication information for subsequent encoding and decoding
operations.
RFC 2554 (SMTP Service Extension for Authentication) specifies that the AUTH command indicates an
authentication mechanism to the server. If the server supports the
requested authentication mechanism, it performs an authentication
protocol exchange to authenticate and identify the user. Optionally,
it also negotiates a security layer for subsequent protocol interactions.
If the requested authentication mechanism is not supported, the server
rejects the AUTH command with a 504 reply.
Versions of Sendmail starting with 8.10 support the SMTP AUTH command, as defined in RFC 2554.