More .NET libraries
-
Rebex Mail Pack
IMAP, MS Graph, EWS, POP3, SMTP, MIME, S/MIME, MSG
-
Rebex Total Pack
All Rebex .NET libraries together
Back to feature list...
Authentication modes
On this page:
Username and password
Password-based authentication is simple:
// create client instance and connect // ... // log in client.Login(username, password);
' create client instance and connect ' ... ' log in client.Login(username, password)
CRAM-MD5 authentication
Some servers support CRAM-MD5 authentication mechanism. When communicating over an unencrypted channel, this is more secure than plain-text password authentication.
// create client instance and connect // ... // log in using CRAM-MD5 client.Login(username, password, Pop3Authentication.CramMD5);
' create POP3 client instance and connect Dim client = New Rebex.Net.Pop3() client.Connect(hostname, port) ' log in using CRAM-MD5 client.Login(username, password, Pop3Authentication.CramMD5)
DIGEST-MD5 authentication
Some servers support DIGEST-MD5 authentication mechanism. When communicating over an unencrypted channel, this is more secure than plain-text password authentication.
// create client instance and connect // ... // log in using DIGEST-MD5 client.Login(username, password, Pop3Authentication.DigestMD5);
' create POP3 client instance and connect Dim client = New Rebex.Net.Pop3() client.Connect(hostname, port) ' log in using DIGEST-MD5 client.Login(username, password, Pop3Authentication.DigestMD5)
APOP authentication
Some POP3 servers support APOP authentication mechanism. When communicating over an unencrypted channel, this is more secure than plain-text password authentication.
// create POP3 client instance and connect var client = new Rebex.Net.Pop3(); client.Connect(hostname); // log in using APOP client.Login(username, password, Pop3Authentication.APop);
' create POP3 client instance and connect ' ... ' log in using APOP client.Login(username, password, Pop3Authentication.APop)
OAuth 2.0 authentication
Most cloud-based POP3 servers (such as Gmail or Microsoft 365 / Outlook Online) support OAuth 2.0 authentication mechanism.
To log in using OAuth, an application (or its user) authenticates via the service provider's authentication server and receives an access token. Then it connects to the POP3 server and authenticates using the obtained token:
// create client instance and connect // ... // authenticate using OAuth 2.0 access token client.Login(userEmail, accessToken, Pop3Authentication.OAuth20);
' connect to a server Dim client = New Rebex.Net.Pop3() client.Connect("smtp.gmail.com", SslMode.Implicit) ' authenticate using OAuth 2.0 access token client.Login(userEmail, accessToken, Pop3Authentication.OAuth20)
The process of obtaining the access token is slightly different for each provider and application type. For details, see the following articles:
- Gmail: How to authenticate with Rebex Mail using OAuth 2.0
- Office 365: How to register your app (for apps with signed-in users)
- Office 365: How to use OAuth 2.0 with Rebex Mail (for apps with signed-in users)
- Office 365 and IMAP/POP3 in unattended (app-only) mode (for services and daemons)
Client certificate authentication
Client certificates are an optional way to authenticate the client to the server. This is only possible when connecting/authenticating to a TLS/SSL-capable server. However, most servers still require authentication with a username and password even when client certificate authentication has taken place.
A certificate with an associated private key is needed for client authentication. Set Settings.SslClientCertificateRequestHandler
property
to an implementation of certificate request handler that is called when the server asks for client certificate.
a) Use the built-in StoreSearch
handler, that searches the user's certificate store for a first suitable certificate:
// create client instance // ... // set a certificate request handler client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.StoreSearch; // connect to the server client.Connect(hostname, SslMode.Explicit); // authenticate (still needed in many cases) if (!client.IsAuthenticated) client.Login(username, password);
' create client instance ' ... ' set a certificate request handler client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.StoreSearch ' connect to the server client.Connect(hostname, SslMode.Explicit) ' authenticate (still needed in many cases) If Not client.IsAuthenticated Then client.Login(username, password) End If
b) Use the built-in PFX-based certificate request handler:
// create client instance // ... // load a certificate chain from a .pfx/.p12 file CertificateChain certificate = CertificateChain.LoadPfx(@"C:\MyData\MyCertificate.pfx", "password"); // set a certificate request handler client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(certificate); // connect to the server client.Connect(hostname, SslMode.Explicit); // authenticate (still needed in many cases) if (!client.IsAuthenticated) client.Login(username, password);
' create client instance ' ... ' load a certificate chain from a .pfx/.p12 file Dim certificate As CertificateChain = CertificateChain.LoadPfx("C:\MyData\MyCertificate.pfx", "password") ' set a certificate request handler client.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(certificate) ' connect to the server client.Connect(hostname, SslMode.Explicit) ' authenticate (still needed in many cases) If Not client.IsAuthenticated Then client.Login(username, password) End If
c) Write a custom handler, for example to load the certificate from a .pfx/.p12 file:
private class MyCertRequestHandler : ICertificateRequestHandler { // This method is called during TLS/SSL negotiation // when the server requests client certificate authentication public CertificateChain Request(TlsSocket socket, DistinguishedName[] issuers) { // provide a certificate loaded from a .pfx/.p12 file return CertificateChain.LoadPfx(clientCertPath, clientCertPassword); } }
Private Class MyCertRequestHandler Implements ICertificateRequestHandler ' This method is called during TLS/SSL negotiation ' when the server requests client certificate authentication Public Function Request(socket As TlsSocket, issuers As DistinguishedName()) As CertificateChain Implements ICertificateRequestHandler.Request ' provide a certificate loaded from a .pfx/.p12 file Return CertificateChain.LoadPfx(clientCertPath, clientCertPassword) End Function End Class
Don't forget to register the handler:
// create client instance // ... // set a certificate request handler client.Settings.SslClientCertificateRequestHandler = new MyCertRequestHandler(); // connect to the server client.Connect(hostname, SslMode.Explicit); // authenticate (still needed in many cases) if (!client.IsAuthenticated) client.Login(username, password);
' create client instance ' ... ' set a certificate request handler client.Settings.SslClientCertificateRequestHandler = New MyCertRequestHandler() ' connect to the server client.Connect(hostname, SslMode.Explicit) ' authenticate (still needed in many cases) If Not client.IsAuthenticated Then client.Login(username, password) End If
GSSAPI
GSSAPI support in Rebex POP3 makes it possible to authenticate using Kerberos, NTLM or Negotiate authentication mechanisms, either in single sign-on mode or username/password(/domain)-based mode.
Note: GSSAPI is only supported on Windows platforms.
Single sign-on
With single sign-on, the current user can authenticate without having to enter his password. Single sign-on is only possible through NTLM or through GSSAPI with Kerberos, NTLM or Negotiate authentication mechanisms on servers that support them. Additionally, both the client and server machines might have to be part of the same domain (or a domain trust has to be established).
Note: Single sign-on is only supported on Windows platforms.
Kerberos authentication
In POP3, Kerberos v5 is one of the supported GSSAPI authentication mechanisms.
GSSAPI/Kerberos in single sign-on mode:
// create client instance and connect // ... // initialize GSSAPI for Kerberos single sign-on GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider( "Kerberos", null, null, null, null); // log in using Kerberos single sign-on client.Login(credentials);
' create client instance and connect ' ... ' initialize GSSAPI for Kerberos single sign-on Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider( "Kerberos", Nothing, Nothing, Nothing, Nothing) ' log in using Kerberos single sign-on client.Login(credentials)
GSSAPI/Kerberos with username/password/domain:
// create client instance and connect // ... // initialize GSSAPI for Kerberos authentication GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider( "Kerberos", null, username, password, domain); // log in using Kerberos client.Login(credentials);
' create client instance and connect ' ... ' initialize GSSAPI for Kerberos authentication Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider( "Kerberos", Nothing, username, password, domain) ' log in using Kerberos client.Login(credentials)
Note: Kerberos is only supported on Windows platforms. However, it's possible to authenticate Windows-based clients to Unix-based servers using Kerberos.
NTLM authentication
In POP3, NTLM is one of the supported GSSAPI authentication mechanisms.
GSSAPI/NTLM in single sign-on mode:
// create client instance and connect // ... // initialize GSSAPI for NTLM single sign-on GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider( "Ntlm", null, null, null, null); // log in using Kerberos single sign-on client.Login(credentials);
' create client instance and connect ' ... ' initialize GSSAPI for NTLM single sign-on Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider( "Ntlm", Nothing, Nothing, Nothing, Nothing) ' log in using Kerberos single sign-on client.Login(credentials)
GSSAPI/NTLM with username/password/domain:
// create client instance and connect // ... // initialize GSSAPI for NTLM authentication GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider( "Ntlm", null, username, password, domain); // log in using Kerberos client.Login(credentials);
' create client instance and connect ' ... ' initialize GSSAPI for NTLM authentication Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider( "Ntlm", Nothing, username, password, domain) ' log in using Kerberos client.Login(credentials)
Alternatively, some servers support a stand-alone NTLM authentication.
(Standalone) NTLM with single sign-on:
// create client instance and connect // ... // log in using NTLM single sign-on client.Login(Pop3Authentication.Ntlm);
' create POP3 client instance and connect Dim client = New Rebex.Net.Pop3() client.Connect(hostname, port) ' log in using NTLM single sign-on client.Login(Pop3Authentication.Ntlm)
(Standalone) NTLM with username/password:
// create client instance and connect // ... // log in using NTLM client.Login(username, password, Pop3Authentication.Ntlm);
' create POP3 client instance and connect Dim client = New Rebex.Net.Pop3() client.Connect(hostname, port) ' log in using NTLM client.Login(username, password, Pop3Authentication.Ntlm)
Note: On non-Windows platforms (Linux, Android, macOS, iOS), NTLM is only available with NTLM plugin.
Negotiate authentication
In POP3, Negotiate is one of the supported GSSAPI authentication mechanisms.
GSSAPI/Negotiate in single sign-on mode:
// create client instance and connect // ... // initialize GSSAPI for Negotiate single sign-on GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider( "Negotiate", null, null, null, null); // log in using Kerberos single sign-on client.Login(credentials);
' create client instance and connect ' ... ' initialize GSSAPI for Negotiate single sign-on Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider( "Negotiate", Nothing, Nothing, Nothing, Nothing) ' log in using Kerberos single sign-on client.Login(credentials)
GSSAPI/Negotiate with username/password/domain:
// create client instance and connect // ... // initialize GSSAPI for Negotiate authentication GssApiProvider credentials = Rebex.Net.GssApiProvider.GetSspiProvider( "Negotiate", null, username, password, domain); // log in using Kerberos client.Login(credentials);
' create client instance and connect ' ... ' initialize GSSAPI for Negotiate authentication Dim credentials As GssApiProvider = Rebex.Net.GssApiProvider.GetSspiProvider( "Negotiate", Nothing, username, password, domain) ' log in using Kerberos client.Login(credentials)
Note: Negotiate is only supported on Windows platforms.
Back to feature list...