SmtpAuthMechanism uses ConstantsTrait
SMTP SASL authentication mechanisms (RFC 4954 and the SASL registry).
These are the tokens advertised after 250-AUTH in the EHLO response and
passed to the AUTH command, e.g. AUTH LOGIN, AUTH XOAUTH2.
SmtpAuthMechanism::requiresTls( SmtpAuthMechanism::PLAIN ) ; // true
SmtpAuthMechanism::requiresTls( SmtpAuthMechanism::CRAM_MD5 ) ; // false
Tags
Table of Contents
Constants
- CRAM_MD5 : string = 'CRAM-MD5'
- `CRAM-MD5` — Challenge-response HMAC-MD5; the password is never sent (RFC 2195).
- DIGEST_MD5 : string = 'DIGEST-MD5'
- `DIGEST-MD5` — Challenge-response digest authentication (RFC 2831, deprecated).
- EXTERNAL : string = 'EXTERNAL'
- `EXTERNAL` — Authentication derived from an external channel, e.g. a TLS client certificate (RFC 4422).
- GSSAPI : string = 'GSSAPI'
- `GSSAPI` — Kerberos v5 / GSS-API authentication (RFC 4752).
- LOGIN : string = 'LOGIN'
- `LOGIN` — Base64 username/password exchange; credentials sent in the clear.
- NTLM : string = 'NTLM'
- `NTLM` — Microsoft NTLM / SPNEGO authentication.
- OAUTHBEARER : string = 'OAUTHBEARER'
- `OAUTHBEARER` — OAuth 2.0 bearer-token authentication (RFC 7628).
- PLAIN : string = 'PLAIN'
- `PLAIN` — Base64 authzid/authcid/password; credentials sent in the clear (RFC 4616).
- SCRAM_SHA_1 : string = 'SCRAM-SHA-1'
- `SCRAM-SHA-1` — Salted challenge-response (RFC 5802).
- SCRAM_SHA_256 : string = 'SCRAM-SHA-256'
- `SCRAM-SHA-256` — Salted challenge-response with SHA-256 (RFC 7677).
- XOAUTH2 : string = 'XOAUTH2'
- `XOAUTH2` — Google/Microsoft OAuth 2.0 bearer-token mechanism (de-facto).
Methods
- requiresTls() : bool
- Whether the mechanism MUST run over TLS because it exposes a reusable secret on the wire.
Constants
CRAM_MD5
`CRAM-MD5` — Challenge-response HMAC-MD5; the password is never sent (RFC 2195).
public
string
CRAM_MD5
= 'CRAM-MD5'
DIGEST_MD5
`DIGEST-MD5` — Challenge-response digest authentication (RFC 2831, deprecated).
public
string
DIGEST_MD5
= 'DIGEST-MD5'
EXTERNAL
`EXTERNAL` — Authentication derived from an external channel, e.g. a TLS client certificate (RFC 4422).
public
string
EXTERNAL
= 'EXTERNAL'
GSSAPI
`GSSAPI` — Kerberos v5 / GSS-API authentication (RFC 4752).
public
string
GSSAPI
= 'GSSAPI'
LOGIN
`LOGIN` — Base64 username/password exchange; credentials sent in the clear.
public
string
LOGIN
= 'LOGIN'
NTLM
`NTLM` — Microsoft NTLM / SPNEGO authentication.
public
string
NTLM
= 'NTLM'
OAUTHBEARER
`OAUTHBEARER` — OAuth 2.0 bearer-token authentication (RFC 7628).
public
string
OAUTHBEARER
= 'OAUTHBEARER'
PLAIN
`PLAIN` — Base64 authzid/authcid/password; credentials sent in the clear (RFC 4616).
public
string
PLAIN
= 'PLAIN'
SCRAM_SHA_1
`SCRAM-SHA-1` — Salted challenge-response (RFC 5802).
public
string
SCRAM_SHA_1
= 'SCRAM-SHA-1'
SCRAM_SHA_256
`SCRAM-SHA-256` — Salted challenge-response with SHA-256 (RFC 7677).
public
string
SCRAM_SHA_256
= 'SCRAM-SHA-256'
XOAUTH2
`XOAUTH2` — Google/Microsoft OAuth 2.0 bearer-token mechanism (de-facto).
public
string
XOAUTH2
= 'XOAUTH2'
Methods
requiresTls()
Whether the mechanism MUST run over TLS because it exposes a reusable secret on the wire.
public
static requiresTls(string $mechanism) : bool
Returns true for mechanisms that transmit the password in the clear
(PLAIN, LOGIN) or carry a bearer token (XOAUTH2, OAUTHBEARER).
Challenge-response mechanisms (CRAM-MD5, DIGEST-MD5, SCRAM-*,
GSSAPI, NTLM, EXTERNAL) do not expose the secret and return false
— though running them over TLS is still recommended.
Parameters
- $mechanism : string
-
One of the class constants (case-insensitive).