Username and password #
Password-based authentication is simple:
// create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// log in
client.Login(username, password);
' create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' log in
client.Login(username, password)
Tip: To protect your credentials, use TLS/SSL.
CRAM-MD5 authentication #
Some servers support CRAM-MD5 authentication mechanism.
When communicating over an unencrypted channel, this is more secure than plain-text password authentication.
// create SMTP client instance and connect
// (same applies for Rebex.Net.Imap/Pop3)
var client = new Rebex.Net.Smtp();
client.Connect(hostname, port);
// log in using CRAM-MD5
client.Login(username, password, SmtpAuthentication.CramMD5);
' create SMTP client instance and connect
' (same applies for Rebex.Net.Imap/Pop3)
Dim client = New Rebex.Net.Smtp()
client.Connect(hostname, port)
' log in using CRAM-MD5
client.Login(username, password, SmtpAuthentication.CramMD5)
DIGEST-MD5 authentication #
Some servers support DIGEST-MD5 authentication mechanism.
When communicating over an unencrypted channel, this is more secure than plain-text password authentication.
// create SMTP client instance and connect
// (same applies for Rebex.Net.Imap/Pop3)
var client = new Rebex.Net.Smtp();
client.Connect(hostname, port);
// log in using DIGEST-MD5
client.Login(username, password, SmtpAuthentication.DigestMD5);
' create SMTP client instance and connect
' (same applies for Rebex.Net.Imap/Pop3)
Dim client = New Rebex.Net.Smtp()
client.Connect(hostname, port)
' log in using DIGEST-MD5
client.Login(username, password, SmtpAuthentication.DigestMD5)
APOP authentication #
Some POP3 servers support APOP authentication mechanism.
When communicating over an unencrypted channel, this is more secure than plain-text password authentication.
// create POP3 client instance and connect
// ...
// log in using APOP
client.Login(username, password, Pop3Authentication.APop);
' create POP3 client instance and connect
' ...
' log in using APOP
client.Login(username, password, Pop3Authentication.APop)
OAuth 2.0 authentication #
Some cloud-based SMTP, IMAP and EWS servers (such as Gmail or Office365/Outlook.com)
support OAuth 2.0 authentication mechanism.
To authenticate using OAuth, you first have to construct an authentication token. Then, present the token to the SMTP, IMAP or EWS server:
// create SMTP client instance and connect
// (same applies for Rebex.Net.Imap)
var client = new Rebex.Net.Smtp();
client.Connect("smtp.gmail.com", SslMode.Implicit);
// prepare token
string pattern = string.Format("user={0}{1}auth=Bearer {2}{1}{1}", userEmail, '\x1', accessToken);
string token = Convert.ToBase64String(Encoding.ASCII.GetBytes(pattern));
// log in using OAuth 2.0
client.Login(token, SmtpAuthentication.OAuth20);
' create SMTP client instance and connect
' (same applies for Rebex.Net.Imap)
Dim client = New Rebex.Net.Smtp()
client.Connect("smtp.gmail.com", SslMode.Implicit)
' prepare token
Dim pattern = String.Format("user={0}{1}auth=Bearer {2}{1}{1}", userEmail, ChrW(1), accessToken)
Dim token = Convert.ToBase64String(Encoding.ASCII.GetBytes(pattern))
' log in using OAuth 2.0
client.Login(token, SmtpAuthentication.OAuth20)
For more information about Office365/Outlook.com
authentication token and its format, see
MSDN blog.
Client certificate authentication #
Client certificates are an optional way to authenticate the client to the server. This is only possible when connecting/authenticating to a TLS/SSL-capable server.
However, most servers still require authentication with a username and password even when client certificate authentication has taken place.
A certificate with an associated private key is needed for client authentication. Set Settings.SslClientCertificateRequestHandler property
to an implementation of certificate request handler that is called when the server asks for client certificate.
a) Use the built-in StoreSearch handler, that searches the user's certificate store for a first suitable certificate:
// create client instance (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// set a certificate request handler
client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.StoreSearch;
// connect to the server
client.Connect(hostname, SslMode.Explicit);
// authenticate (still needed in many cases)
if (!client.IsAuthenticated)
client.Login(username, password);
' create client instance (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' set a certificate request handler
client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.StoreSearch
' connect to the server
client.Connect(hostname, SslMode.Explicit)
' authenticate (still needed in many cases)
If Not client.IsAuthenticated Then
client.Login(username, password)
End If
b) Use the built-in PFX-based certificate request handler:
// create client instance (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// load a certificate chain from a .pfx/.p12 file
CertificateChain certificate = CertificateChain.LoadPfx(@"C:\MyData\MyCertificate.pfx", "password");
// set a certificate request handler
client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(certificate);
// connect to the server
client.Connect(hostname, SslMode.Explicit);
// authenticate (still needed in many cases)
if (!client.IsAuthenticated)
client.Login(username, password);
' create client instance (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' load a certificate chain from a .pfx/.p12 file
Dim certificate As CertificateChain = CertificateChain.LoadPfx("C:\MyData\MyCertificate.pfx", "password")
' set a certificate request handler
client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(certificate)
' connect to the server
client.Connect(hostname, SslMode.Explicit)
' authenticate (still needed in many cases)
If Not client.IsAuthenticated Then
client.Login(username, password)
End If
c) Write a custom handler, for example to load the certificate from a .pfx/.p12 file:
private class MyCertRequestHandler : ICertificateRequestHandler
{
// This method is called during TLS/SSL negotiation
// when the server requests client certificate authentication
public CertificateChain Request(TlsSocket socket, DistinguishedName[] issuers)
{
// provide a certificate loaded from a .pfx/.p12 file
return CertificateChain.LoadPfx(clientCertPath, clientCertPassword);
}
}
Private Class MyCertRequestHandler
Implements ICertificateRequestHandler
' This method is called during TLS/SSL negotiation
' when the server requests client certificate authentication
Public Function Request(socket As TlsSocket, issuers As DistinguishedName()) As CertificateChain Implements ICertificateRequestHandler.Request
' provide a certificate loaded from a .pfx/.p12 file
Return CertificateChain.LoadPfx(clientCertPath, clientCertPassword)
End Function
End Class
Don't forget to register the handler:
// create client instance (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// set a certificate request handler
client.Settings.SslClientCertificateRequestHandler = new MyCertRequestHandler();
// connect to the server
client.Connect(hostname, SslMode.Explicit);
// authenticate (still needed in many cases)
if (!client.IsAuthenticated)
client.Login(username, password);
' create client instance (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' set a certificate request handler
client.Settings.SslClientCertificateRequestHandler = New MyCertRequestHandler()
' connect to the server
client.Connect(hostname, SslMode.Explicit)
' authenticate (still needed in many cases)
If Not client.IsAuthenticated Then
client.Login(username, password)
End If
GSSAPI #
GSSAPI support in Rebex Secure Mail makes it possible to authenticate using
Kerberos,
NTLM or
Negotiate
authentication mechanisms, either in single sign-on mode or username/password(/domain)-based mode.
Note: GSSAPI is only supported on Windows platforms.
Single sign-on #
With single sign-on, the current user can authenticate without having to enter his password.
Single sign-on is only possible through NTLM or through GSSAPI with
Kerberos,
NTLM or
Negotiate
authentication mechanisms on servers that support them.
Additionally, both the client and server machines must be part of the same domain (or a domain trust has to be established).
Note: Single sign-on is only supported on Windows platforms.
Kerberos authentication #
Kerberos v5 is one of the supported GSSAPI authentication mechanisms.
GSSAPI/Kerberos in single sign-on mode:
// create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// initialize GSSAPI for Kerberos single sign-on
GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider(
"Kerberos", null, null, null, null);
// log in using Kerberos single sign-on
client.Login(credentials);
' create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' initialize GSSAPI for Kerberos single sign-on
Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider(
"Kerberos", Nothing, Nothing, Nothing, Nothing)
' log in using Kerberos single sign-on
client.Login(credentials)
GSSAPI/Kerberos with username/password/domain:
// create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// initialize GSSAPI for Kerberos authentication
GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider(
"Kerberos", null, username, password, domain);
// log in using Kerberos
client.Login(credentials);
' create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' initialize GSSAPI for Kerberos authentication
Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider(
"Kerberos", Nothing, username, password, domain)
' log in using Kerberos
client.Login(credentials)
Note: Kerberos is only supported on Windows platforms. However, it's possible to authenticate Windows-based clients to Unix-based servers using Kerberos.
NTLM authentication #
NTLM is one of the supported GSSAPI authentication mechanisms.
Alternatively, some servers support a stand-alone NTLM authentication.
GSSAPI/NTLM in single sign-on mode:
// create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// initialize GSSAPI for NTLM single sign-on
GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider(
"Ntlm", null, null, null, null);
// log in using Kerberos single sign-on
client.Login(credentials);
' create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' initialize GSSAPI for NTLM single sign-on
Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider(
"Ntlm", Nothing, Nothing, Nothing, Nothing)
' log in using Kerberos single sign-on
client.Login(credentials)
GSSAPI/NTLM with username/password/domain:
// create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// initialize GSSAPI for NTLM authentication
GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider(
"Ntlm", null, username, password, domain);
// log in using Kerberos
client.Login(credentials);
' create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' initialize GSSAPI for NTLM authentication
Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider(
"Ntlm", Nothing, username, password, domain)
' log in using Kerberos
client.Login(credentials)
(Standalone) NTLM with single sign-on:
// create SMTP client instance and connect
// (same applies for Rebex.Net.Imap/Pop3/Ews)
var client = new Rebex.Net.Smtp();
client.Connect(hostname, port);
// log in using NTLM single sign-on
client.Login(SmtpAuthentication.Ntlm);
' create SMTP client instance and connect
' (same applies for Rebex.Net.Imap/Pop3/Ews)
Dim client = New Rebex.Net.Smtp()
client.Connect(hostname, port)
' log in using NTLM single sign-on
client.Login(SmtpAuthentication.Ntlm)
(Standalone) NTLM with username/password:
// create SMTP client instance and connect
// (same applies for Rebex.Net.Imap/Pop3/Ews)
var client = new Rebex.Net.Smtp();
client.Connect(hostname, port);
// log in using NTLM
client.Login(username, password, SmtpAuthentication.Ntlm);
' create SMTP client instance and connect
' (same applies for Rebex.Net.Imap/Pop3/Ews)
Dim client = New Rebex.Net.Smtp()
client.Connect(hostname, port)
' log in using NTLM
client.Login(username, password, SmtpAuthentication.Ntlm)
Note: NTLM is only supported on Windows platforms.
Negotiate authentication #
Negotiate is one of the supported GSSAPI authentication mechanisms.
GSSAPI/Negotiate in single sign-on mode:
// create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// initialize GSSAPI for Negotiate single sign-on
GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider(
"Negotiate", null, null, null, null);
// log in using Kerberos single sign-on
client.Login(credentials);
' create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' initialize GSSAPI for Negotiate single sign-on
Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider(
"Negotiate", Nothing, Nothing, Nothing, Nothing)
' log in using Kerberos single sign-on
client.Login(credentials)
GSSAPI/Negotiate with username/password/domain:
// create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
// ...
// initialize GSSAPI for Negotiate authentication
GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider(
"Negotiate", null, username, password, domain);
// log in using Kerberos
client.Login(credentials);
' create client instance and connect (Rebex.Net.Smtp/Imap/Pop3/Ews)
' ...
' initialize GSSAPI for Negotiate authentication
Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider(
"Negotiate", Nothing, username, password, domain)
' log in using Kerberos
client.Login(credentials)
GSSAPI/Negotiate authentication mechanism automaticlly chooses whether to use
Kerberos or
NTLM.
Note: Negotiate is only supported on Windows platforms.