SMTP Indy 组件安全性和身份验证属性有什么作用? [英] What do the SMTP Indy component security and authentication properties do?
问题描述
我正在使用 indy 组件在 delphi 应用程序中实现电子邮件.我专门使用 TidSMTP 组件.我需要有效地支持所有主要的电子邮件服务器.我使用 Mozilla Thunderbird 作为我的电子邮件客户端,并将 smtp 属性与 TidSMTP 组件中的属性进行比较.我试图找到描述 TidSMTP 属性之间关系的文档,但无法弄清楚.
I am using the indy components to implement emails in a delphi application. I am specifically using the TidSMTP component. I need to effectively support all major email servers. I use Mozilla Thunderbird as my email client and am comparing the smtp properties with those in the TidSMTP component. I have attempted to find documentation that describes the relationship between the TidSMTP properties, but have not been able to figure it out.
谁能解释一下这些比较和它们的作用:
Can someone explain how these compare and what they do:
- 在 Thunderbird 中:连接安全:(无、STARTTLS、SSL/TLS).
在 TidSMTP.UseTLS 中(utNoTLSSupport、utUseImplicitTLS、utUseRequireTLS、utUseExplicitTLS)
- In Thunderbird:Connection Security: (None, STARTTLS, SSL/TLS).
In TidSMTP.UseTLS (utNoTLSSupport, utUseImplicitTLS, utUseRequireTLS, utUseExplicitTLS)
在 Thunderbird 中:身份验证方法:(无身份验证、普通密码、加密密码、Kerberos/GSSAPI、NTLM)
In Thunderbird:Authentication method: (No Authentication, Normal Password, Encrypted Password, Kerberos/GSSAPI, NTLM)
我还看到了其他 TidSMTP 属性:UseEhlo、UseVerp、UseNagle.我需要使用这些吗?他们是做什么的?
I also see other TidSMTP properties: UseEhlo, UseVerp, UseNagle. Do I need to be using these? What do they do?
推荐答案
当使用 STARTTLS 时,服务器的监听端口在连接时最初是未加密的.当客户端连接时,它可以向服务器发送一个可选的STARTTLS 命令,如果服务器支持的话,在那个时候动态地执行 SSL/TLS 握手.这允许旧的非 SSL/TLS 客户端继续连接到同一端口,同时允许启用 SSL/TLS 的较新客户端使用 SSL/TLS(如果服务器上可用).这对应于 Indy 中的 UseTLS=utUseExplicitTLS.您需要将 UseEHLO 设置为 True 才能使用 UseTLS=utUseExplicitTLS,因为 EHLO 命令是 TIdSMTP发现服务器是否支持 STARTTLS 命令.
When using STARTTLS, the server's listening port is initially unencrypted upon connecting. When a client connects, it can send an optional STARTTLS command to the server, if the server supports it, to dynamically perform the SSL/TLS handshake at that time. This allows legacy non-SSL/TLS clients to continue connecting to that same port, while allowing newer SSL/TLS-enabled clients to use SSL/TLS if available on the server. This corresponds to UseTLS=utUseExplicitTLS in Indy. You need to set UseEHLO to True in order to use UseTLS=utUseExplicitTLS, as the EHLO command is how TIdSMTP discovers whether the server supports the STARTTLS command or not.
当使用 SSL/TLS 而不是 STARTTLS 时,服务器的侦听端口始终使用加密,并且客户端必须在连接后立即启动 SSL/TLS 握手,然后再进行任何其他操作可以交换数据.这对应于 Indy 中的 UseTLS=utUseImplicitTLS.没有使用 STARTTLS 命令.
When using SSL/TLS instead of STARTTLS, the server's listening port is always using encryption and the client must initiate the SSL/TLS handshake immediately upon connecting before any other data can be exchanged. This corresponds to UseTLS=utUseImplicitTLS in Indy. There is no STARTTLS command used.
对于身份验证,TIdSMTP 有两个选项 - 由原始 SMTP 规范定义的旧的(和不安全的)AUTH LOGIN 命令,以及基于 SASL 的 SMTP 扩展散列/加密算法(Kerberos、GSSAPI、NTLM 等作为 SASL 算法实现).
For authentication, TIdSMTP has two options - the old (and unsecure) AUTH LOGIN command that is defined by the original SMTP spec, and SMTP extensions for SASL-based hashing/encryption algorithms (Kerberos, GSSAPI, NTLM, etc are implemented as SASL algorithms).
要使用 SASL,请将 TIdSMTP.AuthType 设置为 satSASL,然后填写 TIdSMTP.SASLMechanisms 集合以指向单独的 TIdSASL 派生组件,用于您希望在应用程序中支持的算法.Indy 为 DIGEST-MD5、CRAM-MD5、CRAM-SHA1、NTLM 提供原生 SASL 组件(实验性)、ANONYMOUS、EXTERNAL、OTP、PLAIN、SKEY 和 LOGIN(AUTH LOGIN 的 SASL 包装器).如果您需要其他算法(例如 Kerberos 或 GSSAPI),则必须编写自己的 TIdSASL 派生组件.对于使用用户名/密码的算法,必须将值分配给单独的 TIdUserPassProvider 组件,然后再分配给 SASL 组件(TIdSMTP.UserName 和 TIdSMTP.Password 属性不与 SASL 一起使用).您支持的 SASL 算法越多,您能够支持的服务器数量就越多.
To use SASL, set TIdSMTP.AuthType to satSASL and then fill in the TIdSMTP.SASLMechanisms collection to point at separate TIdSASL-derived components for the algorithms you want to support in your app. Indy has native SASL components for DIGEST-MD5, CRAM-MD5, CRAM-SHA1, NTLM (experimental), ANONYMOUS, EXTERNAL, OTP, PLAIN, SKEY, and LOGIN (SASL wrapper for AUTH LOGIN). If you need another algorithm (Kerberos or GSSAPI, for instance), you will have to write your own TIdSASL-derived component. For algorithms that use Username/Password, the values must be assigned to a separate TIdUserPassProvider component that is then assigned to the SASL components (the TIdSMTP.UserName and TIdSMTP.Password properties are not used with SASL). The more SASL algorithms you support, the wider the number of servers you will be able to support.
对于仍然支持 AUTH LOGIN 的服务器,可以通过将 TIdSMTP.AuthType 设置为 satDefault 来使用它(并且可以选择设置 TIdSMTP.ValidateAuthLoginCapability 为 False 如果服务器支持 AUTH LOGIN 但没有响应 EHLO 命令报告)然后填写 TIdSMTP.UserName 和 TIdSMTP.Password 属性,或者通过在 TIdSMTP.SASLMechanisms 集合中包含 TIdSASLLogin 组件.
For servers that still support AUTH LOGIN, it can be used either by setting TIdSMTP.AuthType to satDefault (and optionally setting TIdSMTP.ValidateAuthLoginCapability to False if the server supports AUTH LOGIN but does not report it in response to the EHLO command) and then filling in the TIdSMTP.UserName and TIdSMTP.Password properties, or by including the TIdSASLLogin component in the TIdSMTP.SASLMechanisms collection.
UseVerp 和 UseNagle 与安全无关.VERP 是一个 SMTP 扩展,用于检测由于无法投递的错误而退回的电子邮件.Nagle 是一种用于优化网络数据包的网络算法.
UseVerp and UseNagle have nothing to do with security. VERP is an SMTP extension for detecting bouncing emails due to undeliverable errors. Nagle is a networking algorithm for optimizing network data packets.
这篇关于SMTP Indy 组件安全性和身份验证属性有什么作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
