Security Drivers for Email Authentication

Uniface provides security drivers for several SASL (Simple Authentication and Security Layer) mechanisms for SMTP and POP authentication. These can be used by the Uniface UPOPMAIL component to set a security context when sending and receiving mail.

The SMTP and POP protocols support an AUTH command, which must be followed by a keyword that specifies an SASL mechanism. There are currently over 20 SASL mechanisms registered for use. Uniface provides implementations for only a few of these mechanisms by means of the following security drivers:

  • SMTP AUTH NTLM Security Driver
  • SMTP SSPI Security Driver
  • SMTP XOAUTH2 Security Driver
  • POP XOAUTH2 Security Driver

Uniface also provides a security driver for the STARTTLS ESMTP extension, which upgrades a TCP connection to an SMTP server to a TLS connection. This security driver can be use in conjunction with one of the other SMTP security drivers to provide authentication. It is required when connecting to Microsoft SMTP servers.

Supported ESMTP Extensions

SMTP security drivers support Extended SMTP (ESMTP) extensions, which perform an initial exchange of messages when a connection is established to an SMTP or POP server. This exchange of messages normally implements an authentication process, which determines whether this user is allowed to use the server.

Supported ESMTP Extensions
Command and Keyword Description
AUTH LOGIN Basic login authentication

Not very secure and does not support session signing and encryption.

AUTH NTLM SMTP authentication using the Microsoft NT LAN Manager protocol.

Improved, but not impervious, authentication; supports session signing and encryption.

AUTH GSSAPI Specifies the use of the GSSAPI interface to negotiate the authentication protocol to use. Under Windows, this commonly results in the Kerberos authentication protocol.

When it applies to Kerberos, it provides the strongest authentication method.

AUTH GSSAPI supports session signing and encryption.

AUTH XOAUTH2 Authentication using OAuth 2.0, which uses access tokens instead of passwords for authentication.
STARTTLS Upgrades an existing TCP connection to TLS

You can use the Security Driver API to create your own implementations of SASL authentication mechanisms. For more information, see APIs: Security Driver.

SASL

SASL provides a framework for authentication and data security, and allows the registration of such mechanisms. SASL mechanisms normally provide authentication and, optionally, session signing and encryption.

  • Authentication verifies that somebody is who they say they are. This is normally achieved by exchanging messages in a predefined format and encryption between client and server.
  • Session signing attaches a digital signature to a message to prove that the message was sent by the authenticated sender.
  • Session encryption is a transformation that is applied to a message in such a way that only the intended recipient can easily retrieve the original message.

Session signing and encryption are techniques that apply to the messages sent after an authenticated communication session has been established and may be negotiated during the authentication.

Note:  The Security Driver API currently supports authentication, but not session signing and encryption.

Configuration

Security drivers must be declared in the [USER_3GL] section of the application assignment file. For example:

[USER_3GL]
; OAuth 2.0 security drivers for email:
C:\Program Files (x86)\Uniface10\bin\\uauthxoauth2(UAuthXOAUTH2POP, UAuthXOAUTH2SMTP)
; STARTTLS driver (required when connecting to Microsoft SMTP server
C:\Program Files (x86)\Uniface10\bin\\ustarttls(UStartTLSSMTP)

Related Topics