Previous | Next | Contents | Index |
An authentication mechanism is a particular method for a client to prove its identity to a server. APOP, PLAIN, CRAM-MD5, and DIGEST-MD52 are examples of authentication mechanisms.
An authentication verifier (e.g., password) is stored on the server and contains information used to verify a user's identity. The format of the authentication verifier can restrict which mechanisms can be used. The term authentication verifier is preferred in place of password, since while passwords are the most common instance of authentication verifiers, an authentication verifier could also be something like a certificate in an LDAP directory or the like; usually, however, one can think "password" wherever one sees "authentication verifier".
An authentication source is a file, database, interface to an LDAP directory, etc., accessible to the server wherein are stored authentication verifiers for users. The system password file, PMDF user profile passwords (for PMDF MessageStore or PMDF popstore accounts),3 and the PMDF password database4 are examples of authentication sources.
A security rule set is a set of rules determining which authentication mechanisms and sources are permitted or used by the server. In PMDF the PORT_ACCESS mapping is used to determine the security rule set to apply to an incoming connection, based on IP addresses and ports.
A user domain is an independent set of users known to the server. This is useful, for example, if a server wants to support multiple sets of users possibly with overlapping user names. In PMDF the PORT_ACCESS mapping is used to determine the user domain for each incoming connection, based on IP addresses and ports. Only the PMDF MessageStore authentication source (also used for PMDF popstore) supports multiple user domains; for all other sources, or if no user domain is explicitly specified in the PORT_ACCESS mapping, the default user domain is assumed.
SASL (Simple Authentication and Security Layer)5 is a way to add different authentication mechanisms to Internet protocols such as POP, IMAP, and SMTP. When the connection is opened, the POP, IMAP, or SMTP client can authenticate itself to the respective server.
2 Mechanism names are as defined by SASL (RFC 2222), which is the IETF (Internet Engineering Task Force---the Internet standards body) specification for adding authentication to protocols such as IMAP and POP. For discussions of particular mechanisms, see for instance RFC 2195 documenting CRAM-MD5, RFC 1939 documenting APOP, and RFC 2617 defining HTTP-digest authentication from which DIGEST-MD5 is derived.3 See the PMDF popstore & MessageStore Manager's Guide.4 See, for instance, Section 14.7.5 For a full description of SASL, see RFC 2222, a copy of which can be found in the RFC subdirectory in the PMDF tree. |
Previous | Next | Contents | Index |