SMTP with CRAM-MD5 in Java

I need to send email through an (external) SMTP server from Java however this server will only accept CRAM-MD5 authentication, which is not supported by JavaMail.

What would be a good way to get these emails to send? (It must be in Java.)

Asked by: Owen776 | Posted: 23-01-2022

Answer 1

Here is thread which says that you need to add the following property:

props.put("mail.smtp.auth.mechanisms", "CRAM-MD5")

Also in Geronimo implementation there is CramMD5Authenticator

Hope it helps to resolve this old question.

Answered by: Chester176 | Posted: 24-02-2022

Answer 2

Since Java Mail 1.4.4, CRAM-MD5 is supported for use with smtp. Just set this parameter to your properties and it will work:

props.put("mail.smtp.sasl.enable", "true");

Answered by: Melissa883 | Posted: 24-02-2022

Answer 3

This doesn't help you directly, however, IMAP connections in JavaMail do support SASL (and thus CRAM-MD5, see the Java SASL documentation) if you set the mail.imap.sasl.enable boolean property to true.

Unfortunately, there is no mail.smtp.sasl.enable property, and SASL cannot be enabled for SMTP in JavaMail. :-(

However, you can download the JavaMail source code, and you can try to edit the SMTP code to support SASL in a similar manner to the IMAP code. Good luck!

Answered by: Ada281 | Posted: 24-02-2022

Answer 4

This probably won't help you but CRAM-MD5 and CRAM-SHA1 are fairly easy to implement assuming you have the correct library (md5/sha1) and, idealy, a base64 encoding library (though the base64 stuff is fairly easy to implement yourself in a pinch).

The transaction looks like this:

S: 334 BASE64(NONCE)
S: 235 Authentication succeeded

Where NONCE is the once time challenge string, USERNAME is the username you are tryng to authenticate, SECRET is the shared secret ("password"), opad is 0x5C, and ipad is 0x36.

(CRAM-SHA1 would be the same transaction, but using SHA1() instead of MD5() to do the digesting)

So, here's an example of a real CRAM-MD5 transaction

S: 334 PDQ1MDMuMTIyMzU1Nzg2MkBtYWlsMDEuZXhhbXBsZS5jb20+
S: 235 Authentication succeeded

Backing up the process a step you get:

S: 334 BASE64("<>")
C: BASE64(" 8b7c809c4453ce5aa097ea5c899f4f87")

Backing up one step further to before the digest is calculated, you get:

S: 334 BASE64("<>")
C: BASE64(" ", MD5(("password" XOR opad),MD5(("password" XOR ipad), "<>")))

I guess that's kind of confusing now that I write it out, but trust me, compared to trying to do NTLM/SPA by hand, it's a breeze. If you're motivated, it's actually pretty easy to implement. Or maybe I've just spent way to long with my hands in the guts of mail clients and servers to think about it clearly anymore...

Answered by: Paul140 | Posted: 24-02-2022

Answer 5

Very Simple CRAMMD5 program in JAVA


class CRAMMD5Test
public static void main(String[] args) throws Exception
    // This represents the BASE64 encoded timestamp sent by the POP server
    String dataString = Base64Decoder.decode("PDAwMDAuMDAwMDAwMDAwMEBteDEuc2VydmVyLmNvbT4=");
    byte[] data = dataString.getBytes();

    // The password to access the account
    byte[] key  = new String("password").getBytes();

    // The address of the e-mail account
    String user = "";

    MessageDigest md5 = MessageDigest.getInstance("MD5");

    if (key.length > 64)
        key = md5.digest(key);

    byte[] k_ipad = new byte[64];
    byte[] k_opad = new byte[64];

    System.arraycopy(key, 0, k_ipad, 0, key.length);
    System.arraycopy(key, 0, k_opad, 0, key.length);

    for (int i=0; i<64; i++)
        k_ipad[i] ^= 0x36;
        k_opad[i] ^= 0x5c;

    byte[] i_temp = new byte[k_ipad.length + data.length];

    System.arraycopy(k_ipad, 0, i_temp, 0, k_ipad.length);
    System.arraycopy(data, 0, i_temp, k_ipad.length, data.length);

    i_temp = md5.digest(i_temp);

    byte[] o_temp = new byte[k_opad.length + i_temp.length];

    System.arraycopy(k_opad, 0, o_temp, 0, k_opad.length);
    System.arraycopy(i_temp, 0, o_temp, k_opad.length, i_temp.length);

        byte[] result = md5.digest(o_temp);
        StringBuffer hexString = new StringBuffer();

        for (int i=0;i < result.length; i++) {
                hexString.append(Integer.toHexString((result[i] >>> 4) & 0x0F));
                hexString.append(Integer.toHexString(0x0F & result[i]));

        System.out.println(Base64Encoder.encode(user + " " + hexString.toString()));

Answered by: Hailey505 | Posted: 24-02-2022

Answer 6

I tried the code on the example of a real CRAM-MD5 transaction, and also on the example given into the RFC 2195.

It does not work because the conversion to an hexadecimal string is not correct. For exmaple, with this code, you will obtain "b913a62c7eda7a495b4e6e7334d3890" instead of "b913a602c7eda7a495b4e6e7334d3890" and the sent authentication string will not be correct.

If you download the source code of javaMail, you will see the implementation of the function toHex into the unit "DigestMD5". Using this conversion, it will work.

Answered by: Byron676 | Posted: 24-02-2022

Answer 7


for (int i=0; i<result.length; i++)
  hexString.append(Integer.toHexString(0xFF & result[i]));


for (int i=0;i < result.length; i++) {
  hexString.append(Integer.toHexString((result[i] >>> 4) & 0x0F));
  hexString.append(Integer.toHexString(0x0F & result[i]));

Answered by: Dainton715 | Posted: 24-02-2022

Similar questions

Still can't find your answer? Check out these amazing Java communities for help...

Java Reddit Community | Java Help Reddit Community | Java Community | Java Discord | Java Programmers (Facebook) | Java developers (Facebook)