Smtp Cram-Md5 (Encrypted Password) Auth Support?

[Alex]

Does Blesta support it already? I hate to find out the hard way. Our mail servers force SSL on 465 with CRAM-MD5 auth for security purposes.

 

If not, I will send Paul the PHP code necessary to support it and hopefully we can integrate it easily.

[Paul]

It's not supported but there appears to be a transport for it for Swiftmailer, which we use. Cody doesn't think it would be terribly difficult to add. How widely used is CRAM-MD5? I honestly have never heard of it.

[Michael]

It's not supported but there appears to be a transport for it for Swiftmailer, which we use. Cody doesn't think it would be terribly difficult to add. How widely used is CRAM-MD5? I honestly have never heard of it.

 

I've not heard of it before either haha.

[Alex]

Every mail server I've ever used besides Exim via cPanel/WHM (sadly) supports it and it's supported in all major clients. Exim already supports it (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html) and a feature request has been submitted to cPanel (http://features.cpanel.net/responses/add-cram-md5-as-an-email-authentication-method) so it's reasonable to believe it will soon be supported in the one place I know of that it isn't already.

 

Wikipedia (http://en.wikipedia.org/wiki/CRAM-MD5) says

it is quite often supported by SMTP-AUTH Mail submission agents.

 

It's usually called "Encrypted Password," especially in email clients, instead of the more technical "CRAM-MD5" which I suspect is why you don't recognize it.

[Paul]

It's assigned to CORE-741 and tentatively slated for v3.2.

 

It will add a new authentication mode drop down, with plain, login, cram-md5, and null/none as options.

[Michael]

Is it like a password but a file?

[Alex]

It's assigned to CORE-741 and tentatively slated for v3.2.

 

It will add a new authentication mode drop down, with plain, login, cram-md5, and null/none as options.

 

Perfect! That sounds great. That's exactly what my mail clients have. Do you have a release schedule for 3.1 and 3.2? Any chance of getting the run down on how I can patch my own copy of Blesta to support this in the meantime?

 

Is it like a password but a file?

 

No, it still just uses your password (or IMAP key in my case, but that's another story), it's just a different way of exchanging it between the client (Blesta in this case) and the mail server. It doesn't require anything from you other than ensuring that your mail server supports it. (cPanel/WHM e-mail accounts do not yet support it)

[Michael]

Perfect! That sounds great. That's exactly what my mail clients have.

 

 

No, it still just uses your password, it's just a different way of exchanging it between the client (Blesta in this case) and the mail server. It doesn't require anything from you other than ensuring that your mail server supports it. (cPanel/WHM e-mail accounts do not yet support it)

 

Oh I see . I wouldn't be able to use it yet then

[Paul]

Cody may be able to provide some direction for getting this to work for you now, I'm not sure.

 

We are aiming for an 8 week +/- 2 week release cycle, but this will vary and we expect our 3.1 release to take a little longer, since we've spent much of our time since release resolving bugs. Moving forward, we expect the number of bug reports to diminish. We expected to receive a higher number of bug reports after our initial 3.0 release, being that it's all new code.

 

Give us a few releases to get in our groove.

[Alex]

Cody may be able to provide some direction for getting this to work for you now, I'm not sure.

 

We are aiming for an 8 week +/- 2 week release cycle, but this will vary and we expect our 3.1 release to take a little longer, since we've spent much of our time since release resolving bugs. Moving forward, we expect the number of bug reports to diminish. We expected to receive a higher number of bug reports after our initial 3.0 release, being that it's all new code.

 

Give us a few releases to get in our groove.

 

Sounds good, thanks Paul. Should I email Cody or just await a response here?

[Paul]

Sounds good, thanks Paul. Should I email Cody or just await a response here?

 

If he doesn't reply in the next day or so, then yeah probably email.

[Alex]

If he doesn't reply in the next day or so, then yeah probably email.

 

If said e-mail provider doesn't get their act together quickly this may actually be less of an issue for us as we may stand up our own mail servers which can support standard AUTH. But, I would still advocate for this feature as we would prefer to use the more secure AUTH methods, regardless of the mail server.

[Paul]

If said e-mail provider doesn't get their act together quickly this may actually be less of an issue for us as we may stand up our own mail servers which can support standard AUTH. But, I would still advocate for this feature as we would prefer to use the more secure AUTH methods, regardless of the mail server.

 

Yup, it'll happen either way it's on the list.. but could be better in your case if you don't need it, then you can get up and running more quickly.