In Database Mail, I find this statement:
Database Mail is an enterprise solution for sending e-mail messages from the SQL Server Database Engine or Azure SQL Managed Instance. Your applications can send e-mail messages to users using Database Mail via an external SMTP server.
As I've been using Database Mail for over ten years, this is good to read.
However, apparently Database Mail uses the .NET SmtpClient class, which has not been kept up-to-date and even recommends "MailKit".
In Exchange Online / Deprecation of Basic Authentication, I find the following phrase:
SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022.
So the obvious question is whether SQL Database Mail with SmtpClient uses "SMTP AUTH" and therefore can still connect to Exchange without an SMTP relay.
Or if a relay is needed, would the built-in Windows Server SMTP relay be able to "upgrade" the credential exchange when connecting off-site?
We have Database Mail configured using an outlook.com account, so there are definitely cases where Database Mail can send to a Microsoft-controlled email server using SMTP.
Bottom line, do we need to know anything other than that SMTP AUTH is still available?
I'm developing a WebSocket backend server in C using libssl and want to test how it works. I have a remote server and domain with a certificate already set up (HTTPS works on a website).
The server binary is built locally and I want to test it by opening the abstract page in the browser that contains js for it. The point is that I've created a self-signed certificate but I still can not connect, OpenSSL says it is a bad certificate. I'm using the latest Firefox dev. The server itself is not reaching WebSocket establish a point and failing on SSL accept function.
If you have admin privileges on the POS terminals, how about adding a line to the HOSTS file like:
127.0.0.1 localhost.mycompany.com
Now you can use a real certificate for localhost.mycompany.com in the server application.
I've done a small TCP/IP server which acts quite like an ftp server.
On the client side, I'm using an API to connect and to exchange data against the server.
This server will be on an active-directory ecosystem, so the client.
What kind of API should I use to implement a SSO/AD authentication on my server ?
(Everything is written in C)
I've seen that SqlServer is doing this through the Trusted connection term. Perhaps a simplier to do things ?
Should I lead to SSPI exchange loop ?
Yes, you need to init a security context from the client and accept that contect from the server, loop until the security context has been established. If you are concerned about your private, you can encrypt the entire traffic with Kerberos.
I am trying to set up an XMPP server, such that users of my service can communicate with XMPP users of other services. I have two requirements
1) Users of other services must still be able to use whatever client and chat service they are currently using, such as the gmail web client, to talk to my clients.
2) The communication must be encrypted when sent between client and server and server and server. (The later is more difficult)
I setup an XMPP server and federated with gmail, and found that the server to server communications was not encrypted. I next federated my XMPP server with jabber.org, and the connection from my server to jabber.org was encrypted, giving me confidence that my server configuration was correct. Is there any way to encrypt the communication between my XMPP server and Google's Are there any XMPP servers that support TLS with Google Presuming this is not currently supported by Google, are their plans to add TLS on server to server communications in the future? When is it expected?
In lieu of encrypted server to server communications, are there other possibilities (given the above requirements)? Would a Google app engine application have encrypted communication between the gmail server and my Google app engine app and also satisfy the first requirement?
For the communication server to server, you can use AES to encrypt all the communication, and for the password, you can send it with RSA. If you are using python you can use pycrypto, although to test it in the development server have to install that library.
About the client and server comunitacion I'm not sure if you can use the same encryption.
If you use SQL Server Authentication (2005), are the login details sent in clear text over the wire?
As secure as you want to make it...
you can configure SSL fairly easily, and if you don't have a trusted cert, if you force encryption, SQL Server can create/issue it's own self signed cert for your use...from this write-up
Credentials (in the login packet) that
are transmitted when a client
application connects to SQL Server are
always encrypted. SQL Server will use
a certificate from a trusted
certification authority if available.
If a trusted certificate is not
installed, SQL Server will generate a
self-signed certificate when the
instance is started, and use the
self-signed certificate to encrypt the
credentials. This self-signed
certificate helps increase security
but it does not provide protection
against identity spoofing by the
server. If the self-signed certificate
is used, and the value of the
ForceEncryption option is set to Yes,
all data transmitted across a network
between SQL Server and the client
application will be encrypted using
the self-signed certificate
Whether or not the login credentials are encrypted depends on the encryption capability/configuration of the client and server.
At the protocol level, completely unencrypted SQL logins are allowed, though my guess is that these are rare because I suspect most modern database drivers do not support them.
Details
Clients communicate with Microsoft SQL Server using the Tabular Data Stream (TDS) protocol.
Shortly after a client opens a TDS connection to the server, it informs the server of its encryption capability. The server compares this announcement with its own configuration/capability to determine the encryption state for the connection.
In a nutshell, the encryption state is determined as follows:
If client or server announces that they do not support encryption and the other side does not require encryption, the entire connection—including login—will be unencrypted.
If both client and server announce that they support encryption but do not require it, just the first TDS packet of the login request will be encrypted. The remainder of the connection, including any additional login request packets, will be unencrypted. A properly-designed database driver will ensure that the SQL authentication password is placed in first login packet, but this isn't required at the protocol level.
If either client or server announces that they require encryption, the entire connection will be encrypted (except for a small amount of preliminary data) unless the other side does not support encryption. In that case, the connection will be terminated.
The only way to ensure that login requests are always encrypted is to set the 'require encryption' option on either client or server. There’s no option to disallow completely unencrypted connections without requiring full encryption.
Regardless of whether or not the login or connection is encrypted, the SQL authentication password is always obfuscated but the scrambling is easily reversible.
Further Reading:
Technical details on connection encryption states - MS-TDS 2.2.6.5 PRELOGIN (under heading Encryption)
Password obfuscation formula - MS-TDS 2.2.6.4 LOGIN7 (see last paragraph)
Slightly more in-depth write-up on the topic - SQL Passwords: Encrypted Between Client and Server? (disclaimer: this is a post on my blog)
The credentials are sent in clear text.
You can probably find a number of sources for this, but here's one:
"Secure the channel between the Web server and database server because credentials are passed in an unencrypted format. For example, use SSL or IPSec."
Here's a link to some security best practices for SQL 2005. That doc states in part:
In Windows Authentication mode,
specific Windows user and group
accounts are trusted to log in to SQL
Server. Windows credentials are used
in the process; that is, either NTLM
or Kerberos credentials. Windows
accounts use a series of encrypted
messages to authenticate to SQL
Server; no passwords are passed across
the network during the authentication
process. When SQL logins are used, SQL login passwords are passed across the network for authentication. This makes SQL logins less secure than Windows logins.
Reading this thread made me even more confuse then I was!
Anyway, I did some tests with Wireshark, with or without encrypted connection I was never able to see my password (and my user name I think). What was very visible without encryption is the actual queries.
Perhaps it is the lack of knowledge with Wireshark to retrieve the login credentials, but since I was able to see everything else I'm pretty sure I was looking at the right spot and the password was ALWAYS hidden.
Apart from the fact that passwords are sent in clear text, it is also possible to replace the hash of the password.