外文翻译-SMTP服务扩展的身份验证

外文文献原文SMTPServiceExtensionforAuthenticationThisdocumentspecifiesanInternetstandardstrackprotocolfortheInternetcommunity,andrequestsdiscussionandsuggestionsforimprovements.PleaserefertothecurrenteditionoftheInternetOfficialProtocolStandards(STD1)forthestandardizationstateandstatusofthisprotocol.Distributionofthismemoisunlimited.CopyrightNoticeCopyright(C)TheInternetSociety(1999).AllRightsReserved.1.IntroductionThisdocumentdefinesanSMTPserviceextensionESMTPwherebyanSMTPclientmayindicateanauthenticationmechanismtotheserver,performanauthenticationprotocolexchange,andoptionallynegotiateasecuritylayerforsubsequentprotocolinteractions.ThisextensionisaprofileoftheSimpleAuthenticationandSecurityLayerSASL.2.ConventionsUsedinthisDocumentInexamples,C:andS:indicatelinessentbytheclientandserverrespectively.ThekeywordsMUST,MUSTNOT,SHOULD,SHOULDNOT,andMAYinthisdocumentaretobeinterpretedasdefinedinKeywordsforuseinRFCstoIndicateRequirementLevelsKEYWORDS.3.TheAuthenticationserviceextension(1)thenameoftheSMTPserviceextensionisAuthentication(2)theEHLOkeywordvalueassociatedwiththisextensionisAUTH(3)TheAUTHEHLOkeywordcontainsasaparameteraspaceseparatedlistofthenamesofsupportedSASLmechanisms.(4)anewSMTPverbAUTHisdefined(5)anoptionalparameterusingthekeywordAUTHisaddedtotheMAILFROMcommand,andextendsthemaximumlinelengthoftheMAILFROMcommandby500characters.(6)thisextensionisappropriateforthesubmissionprotocolSUBMIT.4.TheAUTHcommandAUTHmechanisminitial-responseArguments:astringidentifyingaSASLauthenticationmechanism.anoptionalbase64-encodedresponseRestrictions:AfteranAUTHcommandhassuccessfullycompleted,nomoreAUTHcommandsmaybeissuedinthesamesession.AfterasuccessfulAUTHcommandcompletes,aserverMUSTrejectanyfurtherAUTHcommandswitha503reply.TheAUTHcommandisnotpermittedduringamailtransaction.Discussion:TheAUTHcommandindicatesanauthenticationmechanismtotheserver.Iftheserversupportstherequestedauthenticationmechanism,itperformsanauthenticationprotocolexchangetoauthenticateandidentifytheuser.Optionally,italsonegotiatesasecuritylayerforsubsequentprotocolinteractions.Iftherequestedauthenticationmechanismisnotsupported,theserverrejectstheAUTHcommandwitha504reply.Theauthenticationprotocolexchangeconsistsofaseriesofserverchallengesandclientanswersthatarespecifictotheauthenticationmechanism.Aserverchallenge,otherwiseknownasareadyresponse,isa334replywiththetextpartcontainingaBASE64encodedstring.TheclientanswerconsistsofalinecontainingaBASE64encodedstring.Iftheclientwishestocancelanauthenticationexchange,itissuesalinewithasingle*.Iftheserverreceivessuchananswer,itMUSTrejecttheAUTHcommandbysendinga501reply.Theoptionalinitial-responseargumenttotheAUTHcommandisusedtosavearoundtripwhenusingauthenticationmechanismsthataredefinedtosendnodataintheinitialchallenge.Whentheinitial-responseargumentisusedwithsuchamechanism,theinitialemptychallengeisnotsenttotheclientandtheserverusesthedataintheinitial-responseargumentasifitweresentinresponsetotheemptychallenge.Unlikeazero-lengthclientanswertoa334reply,azero-lengthinitialresponseissentasasingleequalssign(=).Iftheclientusesaninitial-responseargumenttotheAUTHcommandwithamechanismthatsendsdataintheinitialchallenge,theserverrejectstheAUTHcommandwitha535reply.IftheservercannotBASE64decodetheargument,itrejectstheAUTHcommandwitha501reply.Iftheserverrejectstheauthenticationdata,itSHOULDrejecttheAUTHcommandwitha535replyunlessamorespecificerrorcode,suchasonelistedinsection6,isappropriate.Shouldtheclientsuccessfullycompletetheauthenticationexchange,theSMTPserverissuesa235reply.TheservicenamespecifiedbythisprotocolsprofileofSASLissmtp.IfasecuritylayerisnegotiatedthroughtheSASLauthenticationexchange,ittakeseffectimmediatelyfollowingtheCRLFthatconcludestheauthenticationexchangefortheclient,andtheCRLFofthesuccessreplyfortheserver.Uponasecuritylayerstakingeffect,theSMTPprotocolisresettotheinitialstate(thestateinSMTPafteraserverissuesa220servicereadygreeting).TheserverMUSTdiscardanyknowledgeobtainedfromtheclient,suchastheargumenttotheEHLOcommand,whichwasnotobtainedfromtheSASLnegotiationitself.TheclientMUSTdiscardanyknowledgeobtainedfromtheserver,suchasthelistofSMTPserviceextensions,whichwasnotobtainedfromtheSASLnegotiationitself(withtheexceptionthataclientMAYcomparethelistofadvertisedSASLmechanismsbeforeandafterauthenticationinordertodetectanactivedown-negotiationattack).TheclientSHOULDsendanEHLOcommandasthefirstcommandafterasuccessfulSASLnegotiationwhichresultsintheenablingofasecuritylayer.Theserverisnotrequiredtosupportanyparticularauthenticationmechanism,norareauthenticationmechanismsrequiredtosupportanysecuritylayers.IfanAUTHcommandfails,theclientmaytryanotherauthenticationmechanismbyissuinganotherAUTHcommand.IfanAUTHcommandfails,theserverMUSTbehavethesameasiftheclienthadnotissuedtheAUTHcommand.TheBASE64stringmayingeneralbearbitrarilylong.ClientsandserversMUSTbeabletosupportchallengesandresponsesthatareaslongasaregeneratedbytheauthenticationmechanismstheysupport,independentofanylinelengthlimitationstheclientorservermayhaveinotherpartsofitsprotocolimplementation.Examples:S:220ESMTPserverreadyC:EHLOS:250-S:250AUTHCRAM-MD5DIGEST-MD5C:AUTHFOOBARS:504Unrecognizedauthenticationtype.C:AUTHCRAM-MD5S:334PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=C:ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ=S:235Authenticationsuccessful.5.TheAUTHparametertotheMAILFROMcommandAUTH=addr-specArguments:Anaddr-speccontainingtheidentitywhichsubmittedthemessagetothedeliverysystem,orthetwocharactersequenceindicatingsuchanidentityisunknownorinsufficientlyauthenticated.TocomplywiththerestrictionsimposedonESMTPparameters,theaddr-specisencodedinsideanxtext.Thesyntaxofanxtextisdescribedinsection5ofESMTP-DSN.Discussion:TheoptionalAUTHparametertotheMAILFROMcommandallowscooperatingagentsinatrustedenvironmenttocommunicatetheauthenticationofindividualmessages.Iftheservertruststheauthenticatedidentityoftheclienttoassertthatthemessagewasoriginallysubmittedbythesuppliedaddr-spec,thentheserverSHOULDsupplythesameaddr-specinanAUTHparameterwhenrelayingthemessagetoanyserverwhichsupportstheAUTHextension.AMAILFROMparameterofAUTH=indicatesthattheoriginalsubmitterofthemessageisnotknown.TheserverMUSTNOTtreatthemessageashavingbeenoriginallysubmittedbytheclient.IftheAUTHparametertotheMAILFROMisnotsupplied,theclienthasauthenticated,andtheserverbelievesthemessageisanoriginalsubmissionbytheclient,theserverMAYsupplytheclientsidentityintheaddr-specinanAUTHparameterwhenrelayingthemessagetoanyserverwhichsupportstheAUTHextension.Iftheserverdoesnotsufficientlytrusttheauthenticatedidentityoftheclient,oriftheclientisnotauthenticated,thentheserverMUSTbehaveasiftheAUTH=parameterwassupplied.TheserverMAY,however,writethevalueoftheAUTHparametertoalogfile.IfanAUTH=parameterwassupplied,eitherexplicitlyorduetotherequirementinthepreviousparagraph,thentheserverMUSTsupplytheAUTH=parameterwhenrelayingthemessagetoanyserverwhichithasauthenticatedtousingtheAUTHextension.AserverMAYtreatexpansionofamailinglistasanewsubmission,settingtheAUTHparametertothemailinglistaddressormailinglistadministrationaddresswhenrelayingthemessagetolistsubscribers.Itisconformingforanimplementationtobehard-codedtotreatallclientsasbeinginsufficientlytrusted.Inthatcase,theimplementationdoesnothingmorethanparseanddiscardsyntacticallyvalidAUTHparameterstotheMAILFROMcommandandsupplyAUTH=parameterstoanyserverstowhichitauthenticatesusingtheAUTHextension.Examples:C:MAILFROM:AUTH=e+3DS:250OK6.ErrorCodesThefollowingerrorcodesmaybeusedtoindicatevariousconditionsasdescribed.432ApasswordtransitionisneededThisresponsetotheAUTHcommandindicatesthattheuserneedstotransitiontotheselectedauthenticationmechanism.ThistypicallydonebyauthenticatingonceusingthePLAINauthenticationmechanism.534AuthenticationmechanismistooweakThisresponsetotheAUTHcommandindicatesthattheselectedauthenticationmechanismisweakerthanserverpolicypermitsforthatuser.538EncryptionrequiredforrequestedauthenticationmechanismThisresponsetotheAUTHcommandindicatesthattheselectedauthenticationmechanismmayonlybeusedwhentheunderlyingSMTPconnectionisencrypted.454TemporaryauthenticationfailureThisresponsetotheAUTHcommandindicatesthattheauthenticationfailedduetoatemporaryserverfailure.530AuthenticationrequiredThisresponsemaybereturnedbyanycommandotherthanAUTH,EHLO,HELO,NOOP,RSET,orQUIT.Itindicatesthatserverpolicyrequiresauthenticationinordertoperformtherequestedaction.7.FormalSyntaxThefollowingsyntaxspecificationusestheaugmentedBackus-NaurForm(BNF)notationasspecifiedinABNF.Exceptasnotedotherwise,allalphabeticcharactersarecase-insensitive.Theuseofupperorlowercasecharacterstodefinetokenstringsisforeditorialclarityonly.ImplementationsMUSTacceptthesestringsinacase-insensitivefashion.UPALPHA=%x41-5A;Uppercase:A-ZLOALPHA=%x61-7A;Lowercase:a-zALPHA=UPALPHA/LOALPHA;caseinsensitiveDIGIT=%x30-39;Digits0-9HEXDIGIT=%x41-46/DIGIT;hexidecimaldigit(uppercase)hexchar=+HEXDIGITHEXDIGITxchar=%x21-2A/%x2C-3C/%x3E-7E;US-ASCIIexceptfor+,=,SPACEandCTLxtext=*(xchar/hexchar)AUTH_CHAR=ALPHA/DIGIT/-/_auth_type=1*20AUTH_CHARauth_command=AUTHSPACEauth_typeSPACE(base64/=)*(CRLFbase64)CRLFauth_param=AUTH=xtext;ThedecodedformofthextextMUSTbeeither;anaddr-specorthetwocharactersbase64=base64_terminal/(1*(4base64_CHAR)base64_terminal)base64_char=UPALPHA/LOALPHA/DIGIT/+/;Case-sensitivebase64_terminal=(2base64_char=)/(3base64_char=)continue_req=334SPACEbase64CRLFCR=%x0C;ASCIICR,carriagereturnCRLF=CRLFCTL=%x00-1F/%x7F;anyASCIIcontrolcharacterandDELLF=%x0A;ASCIILF,linefeedSPACE=%x20;ASCIISP,space8.ReferencesABNFCrocker,D.andP.Overell,AugmentedBNFforSyntaxSpecifications:ABNF,RFC2234,November1997.CRAM-MD5Klensin,J.,Catoe,R.andP.Krumviede,IMAP/POPAUTHorizeExtensionforSimpleChallenge/Response,RFC2195,September1997.ESMTPKlensin,J.,Freed,N.,Rose,M.,Stefferud,E.andD.Crocker,SMTPServiceExtensions,RFC1869,November1995.ESMTP-DSNMoore,K,SMTPServiceExtensionforDeliveryStatusNotifications,RFC1891,January1996.KEYWORDSBradner,S.,KeywordsforuseinRFCstoIndicateRequirementLevels,BCP14,RFC2119,March1997SASLMyers,J.,SimpleAuthenticationandSecurityLayer(SASL),RFC2222,October1997.SUBMITGellens,R.andJ.Klensin,MessageSubmission,RFC2476,December1998.RFC821Postel,J.,SimpleMailTransferProtocol,STD10,RFC821,August1982.RFC822Crocker,D.,StandardfortheFormatofARPAInternetTextMessages,STD11,RFC822,August1982.9.SecurityConsiderationsSecurityissuesarediscussedthroughoutthismemo.Ifaclientusesthisextensiontogetanencryptedtunnelthroughaninsecurenetworktoacooperatingserver,itneedstobeconfiguredtoneversendmailtothatserverwhentheconnectionisnotmutuallyauthenticatedandencrypted.Otherwise,anattackercouldstealtheclientsmailbyhijackingtheSMTPconnectionandeitherpretendingtheserverdoesnotsupporttheAuthenticationextensionorcausingallAUTHcommandstofail.BeforetheSASLnegotiationhasbegun,anyprotocolinteractionsareperformedintheclearandmaybemodifiedbyanactiveattacker.Forthisreason,clientsandserversMUSTdiscardanyknowledgeobtainedpriortothestartoftheSASLnegotiationuponcompletionofaSASLnegotiationwhichresultsinasecuritylayer.ThismechanismdoesnotprotecttheTCPport,soanactiveattackermayredirectarelayconnectionattempttothesubmissionportSUBMIT.TheAUTH=parameterpreventssuchanattackfromcausinganrelayedmessagewithoutanenvelopeauthenticationtopickuptheauthenticationoftherelayclient.AmessagesubmissionclientmayrequiretheusertoauthenticatewheneverasuitableSASLmechanismisadvertised.Therefore,itmaynotbedesirableforasubmissionserverSUBMITtoadvertiseaSASLmechanismwhenuseofthatmechanismgrantstheclientnobenefitsoveranonymoussubmission.Thisextensionisnotintendedtoreplaceorbeusedinsteadofend-to-endmessagesignatureandencryptionsystemssuchasS/MIMEorPGP.Thisextensionaddressesadifferentproblemthanend-to-endsystems;ithasthefollowingkeydifferences:(1)itisgenerallyusefulonlywithinatrustedenclave(2)itprotectstheentireenvelopeofamessage,notjustthemessagesbody.(3)itauthenticatesthemessagesubmission,notauthorshipofthemessagecontent(4)itcangivethesendersomeassurancethemessagewasdeliveredtothenexthopinthecasewherethesendermutuallyauthenticateswiththenexthopandnegotiatesanappropriatesecuritylayer.AdditionalsecurityconsiderationsarementionedintheSASLspecificationSASL.外文文献翻译SMTP服务扩展的身份验证本文档描述的Internet标准跟踪协议的互联网社区，需要进一步进行讨论和建议以得到改进。请参考“Internet正式协议标准”（STD1）的当前版本来获得本协议的标准化程度和状态。本备忘录的发布不受任何限制。版权声明版权所有（C）因特网协会（1999）。保留所有权利。1引言本文档定义了一个SMTP服务扩展ESMTP据此，SMTP客户端可以表明身份验证机制，服务器，执行认证协议交换，以及可选negotiatea安全层，用于后续协议交互。这个扩展是简单认证和安全层的分布SASL。2，约定本文档中使用在例子中，“C：”和“S：”分别表示由客户机和服务器发送的线条。其中的关键字“必须”，“必须不”，“应该”，“不应该”和“可能”本文档中被解释为在定义的“关键词在RFC中使用，以表明要求级别”关键字。3，身份验证服务扩展（1）SMTP服务扩展的名称是“认证”。（2）具有此扩展名关联的EHLO关键字的值是“AUTH”。（3）AUTHEHLO关键字包含作为参数，支持SASL机制的名称空格分隔列表。（4）新的SMTP动词“AUTH”的定义。（5）使用关键字“AUTH”一个可选的参数添加到MAILFROM命令，并扩展了500个字符的MAILFROM命令最大行长度。（6）该扩展是适当的提交协议提交。4，AUTH命令AUTH机制初始反应参数：一个字符串，标识一个SASL认证机制。一个可选的base64编码的响应。限制：经过AUTH命令已成功完成，没有更多的AUTH命令可以在同一会话中发出。一个成功的AUTH命令完成后，服务器必须使任何进一步的AUTH命令有一个503应答。AUTH命令一个邮件传输过程中是不允许的。讨论：AUTH命令显示的验证机制到服务器。如果服务器支持请求的认证机制，它执行一个认证协议交换认证和识别用户。另外，它还协商安全层，用于后续协议交互。如果不支持请求的身份验证机制，服务器使用一个504应答拒绝AUTH命令。认证协议交换由一系列的挑战服务器和客户端的答案是特定的认证机制。服务器的挑战，否则称为一个现成的回应，是用含有Base64编码的字符串文字部分334答复。客户端答案由包含一个Base64编码的字符串的行。如果客户想取消认证交换，它会发出一个单一的“*”的行。如果服务器接收到这样一个答案，它必须通过发送一个501应答拒绝AUTH命令。可选的初始响应参数AUTH命令，是用来使用被定义为不发送数据的最初挑战，从而使认证机制时节省往返。当初始响应参数是使用这样的机制，初始为空的挑战不会被发送到客户端和服务器，使用的数据初始响应参数，如果它被送到响应为空的挑战。与零长度客户端回答一个334应答，长度为零的初步反应是被作为一个单一的等号（“=”）。如果客户端使用的初始响应参数与发送的数据在最初的挑战机制中使用AUTH命令，服务器用一个535应答拒绝AUTH命令。如果服务器不能用BASE64解码参数，它拒绝AUTH命令用501答复。如果服务器拒绝认证数据，它应拒绝AUTH命令有一个535应答，除非一个更具体的错误代码，例如一个在第6条中列出，是适当的。应在客户端成功完成认证交换，SMTP服务器发出一个235应答。通过SASL的此协议的配置文件中指定的服务名称为“SMTP”。如果安全层是通过SASL认证交流协商，它需要立即生效的结论，为客户端身份验证交换和服务器的成功答复的CRLF下。当一个安全层的效果，SMTP协议被重置到初始状态（状态后的SMTP服务器发出一个220服务就绪信号）。服务器必须丢弃从客户端获得的任何知识，如参数EHLO命令，这不是从SASL协商本身获得的。客户端必须丢弃从服务器获得的任何知识，如SMTP服务的扩展，这不是从SASL协商本身获得的（除了一个客户端可以标榜SASL机制列表之前和之后验证，以便比较列表要检测一个向下的谈判）。客户端应该成功SASL协商导致一个安全层的协议使用之后发送EHLO命令作为第一个命令。该服务器不需要支持任何特定的身份验证机制，也没有支持任何安全层所需的身份验证机制。如果AUTH命令失败，客户端可以通过发出另一个AUTH命令尝试另一种身份验证机制。如果AUTH命令失败，服务器必须具有相同的行为，就好像客户端没有发出AUTH命令。该base64字符串一般可以是任意长。客户端和服务器必须能够支持的挑战和对策是，只要是由他们支持的任何线路长度的客户端或服务器可以在其协议实现的其他部分的身份验证机制生成。示例：S：220ESMTP服务器准备就绪C：EHLOS：250S：250AUTHCRAM-MD5DIGEST-MD5C：AUTHFOOBARS：504无法识别的身份验证类型。C：AUTHCRAM-MD5S：334PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=C：ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ=S：235验证成功。5，AUTH参数以MAILFROM命令AUTH=地址规格参数：一个地址规格包含该邮件提交到该输送系统的身份，或两字符序列“”，表明这样一个身份不明或没有充分验证。为符合规定的ESMTP参数的限制，addr的规格应符合编码XText。一个的XText的语法在ESMTP-DSN第5节中描述。讨论：可选的AUTH参数以MAILFROM命令，允许在受信任的环境中交流个人信息的认证合作机制。如果服务器信任客户端的身份验证身份。断言消息最初提交的地址提供的规格，那么服务器应该转发该消息到支持AUTH扩展的任何服务器，并提供相同的地址规格在AUTH参数。从AUTH=参数邮件表示该邮件的原始发布者是未知。服务器不能处理该消息为最初提交的客户端。如果AUTH参数到MAILFROM没有提供，客户端已经通过身份验证，服务器认为该消息是由客户端的原始提交的，该服务器可以中继时提供客户端的身份在地址规格AUTH中的参数消息，它支持AUTH扩展的任何服务器。如果服务器没有充分信任的客户端的身份验证，或者如果客户端未通过身份验证，那么服务器必须（MUST）的行为，提示AUTH=参数被提供。服务器可能，写AUTH参数到一个日志文件中。如果AUTH=参数被提供，任何明示或由于前一段的要求，那么服务器必须处理的消息，其已验证到使用AUTH扩展任何服务器时提供的AUTH=参数。服务器可能把扩张的邮件列表作为一个新的提交，传递消息列出用户时AUTH参数设置为邮件列表地址或邮件列表的管理地址。这符合一个实施被编码为对待所有客户端为被信任。在这种情况下，执行没有什么分析，并丢弃语法上有效的AUTH参数，MAILFROM命令和供应AUTH=参数验证使用AUTH扩展名的任何服务器。示例：C：MAILFROM：AUTH=E+3DS：250OK6。错误代码下面的错误代码可以用于表示不同的条件如上所述。432密码过渡是必要的这个响应AUTH命令指示用户需要转换到所选择的认证机构。这通常通过使用普通的认证机制，认证完成。534认证机制太弱这回应了AUTH命令表示选定的身份验证机制比服务器策略允许该用户弱。需要请求的认证机制，加密538这个响应AUTH命令指示只可用于所选择的认证机构，当底层SMTP连接被加密。454临时认证失败这回应了AUTH命令指示验证由于临时服务器故障失败。需要530认证这种反应可能会比通过AUTH，EHLO，HELO，NOOP，RSET，或退出其他任何命令返回。这表明服务器的政策要求，以执行要求的动作验证。7，形式语法下面的语法规范使用增广巴科斯-诺尔范式（BNF）ABNF中指定。除非另有说明，所有字母不区分大小写。使用大写或小写字符来定义令牌字符串仅用于编辑的清晰度。实现必须接受这些字符串不区分大小写的方式。UPALPHA=X41-5A;大写字母：A-ZLOALPHA=X61-7A;小写：A-ZALPHA=UPAL