SMTP with CRAM-MD5 in Java

Question

I need to send email through an (external) SMTP server from Java however this server will only accept CRAM-MD5 authentication, which is not supported by JavaMail.

What would be a good way to get these emails to send? (It must be in Java.)

Answer 1

Here is thread which says that you need to add the following property:

props.put("mail.smtp.auth.mechanisms", "CRAM-MD5")

Also in Geronimo implementation there is CramMD5Authenticator

Hope it helps to resolve this old question.

Answer 2

Since Java Mail 1.4.4, CRAM-MD5 is supported for use with smtp. Just set this parameter to your properties and it will work:

props.put("mail.smtp.sasl.enable", "true");

Answer 3

This doesn't help you directly, however, IMAP connections in JavaMail do support SASL (and thus CRAM-MD5, see the Java SASL documentation) if you set the mail.imap.sasl.enable boolean property to true.

Unfortunately, there is no mail.smtp.sasl.enable property, and SASL cannot be enabled for SMTP in JavaMail. :-(

However, you can download the JavaMail source code, and you can try to edit the SMTP code to support SASL in a similar manner to the IMAP code. Good luck!

Answer 4

This probably won't help you but CRAM-MD5 and CRAM-SHA1 are fairly easy to implement assuming you have the correct library (md5/sha1) and, idealy, a base64 encoding library (though the base64 stuff is fairly easy to implement yourself in a pinch).

The transaction looks like this:

C: AUTH CRAM-MD5
S: 334 BASE64(NONCE)
C: BASE64(USERNAME, " ", MD5((SECRET XOR opad),MD5((SECRET XOR ipad), NONCE)))
S: 235 Authentication succeeded

Where NONCE is the once time challenge string, USERNAME is the username you are tryng to authenticate, SECRET is the shared secret ("password"), opad is 0x5C, and ipad is 0x36.

(CRAM-SHA1 would be the same transaction, but using SHA1() instead of MD5() to do the digesting)

So, here's an example of a real CRAM-MD5 transaction

C: AUTH CRAM-MD5
S: 334 PDQ1MDMuMTIyMzU1Nzg2MkBtYWlsMDEuZXhhbXBsZS5jb20+
C: dXNlckBleGFtcGxlLmNvbSA4YjdjODA5YzQ0NTNjZTVhYTA5N2VhNWM4OTlmNGY4Nw==
S: 235 Authentication succeeded

Backing up the process a step you get:

S: 334 BASE64("<[email protected]>")
C: BASE64("[email protected] 8b7c809c4453ce5aa097ea5c899f4f87")

Backing up one step further to before the digest is calculated, you get:

S: 334 BASE64("<[email protected]>")
C: BASE64("[email protected] ", MD5(("password" XOR opad),MD5(("password" XOR ipad), "<[email protected]>")))

I guess that's kind of confusing now that I write it out, but trust me, compared to trying to do NTLM/SPA by hand, it's a breeze. If you're motivated, it's actually pretty easy to implement. Or maybe I've just spent way to long with my hands in the guts of mail clients and servers to think about it clearly anymore...