Update documentation for the addition of SCRAM-*-PLUS SASL mechanisms

stephanbosch · cmouse · commit eb4f37aabed8 · 2025-01-17T19:45:15.000+02:00
diff --git a/docs/core/config/auth/mechanisms/overview.md b/docs/core/config/auth/mechanisms/overview.md
@@ -49,8 +49,10 @@ all, because they only support verifying a known cleartext password.
 | --------- | ------- |
 | CRAM-MD5 | Protects the password in transit against eavesdroppers. Somewhat good support in clients.|
 | [[link,auth_digest_md5]] | Somewhat stronger cryptographically than CRAM-MD5, but clients rarely support it. |
-| SCRAM-SHA-1 | Salted Challenge Response Authentication Mechanism (SCRAM) SAS and GSS-API Mechanisms. Intended as DIGEST-MD5 replacement. |
+| SCRAM-SHA-1 | Salted Challenge Response Authentication Mechanism (SCRAM) SAS and GSS-API Mechanisms. Intended as DIGEST-MD5 replacement. [[rfc,5802]] |
+| SCRAM-SHA-1-PLUS| SCRAM-SHA-1 with channel binding support [[rfc,5802]]. |
 | SCRAM-SHA-256 | Stronger replacement for SCRAM-SHA-1 [[rfc,7677]]. |
+| SCRAM-SHA-256-PLUS| SCRAM-SHA-256 with channel binding support [[rfc,7677]]. |
 | APOP | This is a POP3-specific authentication. Similar to CRAM-MD5, but requires storing password in cleartext. |
 | [[link,auth_gssapi,GSS-SPNEGO]] | A wrapper mechanism defined by [[rfc,4178]]. Can be accessed via GSSAPI. |
 | [[link,auth_gssapi]] | Kerberos v5 support. |
diff --git a/docs/core/config/auth/schemes.md b/docs/core/config/auth/schemes.md
@@ -149,7 +149,7 @@ different schemes for a single user.
 | --------- | ------- |
 | CRAM-MD5 | Used with CRAM-MD5 mechanism. |
 | [[link,auth_digest_md5]] | Used with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames. |
-| SCRAM-SHA-1 | Used with SCRAM-SHA-1 mechanism.<br />[[added,auth_mechanism_scram_sha_added]] |
+| SCRAM-SHA-1 | Used with SCRAM-SHA-1 and SCRAM-SHA-1-PLUS mechanisms.<br />[[added,auth_mechanism_scram_sha_added]] |
 | SCRAM-SHA-256 | Stronger replacement for SCRAM-SHA-1.<br />[[added,auth_mechanism_scram_sha_added]] |
 
 ## Other Supported Password Schemes
diff --git a/docs/core/rfc.md b/docs/core/rfc.md
@@ -28,10 +28,12 @@ This is a non-exhaustive list of RFCs that Dovecot implements/supports.
 - Using TLS with IMAP, POP3 and ACAP ([[rfc,2595]])
 - Using Digest Authentication as a SASL Mechanism (DIGEST-MD5) ([[rfc,2831]])
 - Salted Challenge Response Authentication Mechanism (SCRAM) ([[rfc,5802]])
+- SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms ([[rfc,7677]])
 - GSS-API (Kerberos V5) SASL Mechanism ([[rfc,4752]])
 - A Set of Simple Authentication and Security Layer (SASL) Mechanisms for
   OAuth ([[rfc,7628]])
 - [Google XOAUTH2 Protocol](https://developers.google.com/gmail/xoauth2_protocol)
+- Channel Bindings for TLS 1.3 ([[rfc,9266]])
 
 ## POP3
 
