State of Play

[Neustradamus]

Welcome, this page informs you about the security, all SCRAM variants and Channel Binding (-PLUS variants) too.

---

Important history:

CRAM-MD5 to Historic:

• https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 // 20 November 2008
• https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00 // June 29, 2017

RFC6331: Moving DIGEST-MD5 to Historic:

• https://tools.ietf.org/html/rfc6331 // July 2011

RFC8600: https://tools.ietf.org/html/rfc8600 (2019-06-21): https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802].

But in "Best practices for password hashing and storage" expired I-D:

• https://tools.ietf.org/html/draft-ietf-kitten-password-storage

- EXTERNAL
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-1
- PLAIN

---

About Channel Binding (for -PLUS variants):

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056 // November 2007
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929 // July 2010
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266 // July 2022

Some important XEPs:

• XEP-0388: Extensible SASL Profile: https://xmpp.org/extensions/xep-0388.html
• XEP-0440: SASL Channel-Binding Type Capability: https://xmpp.org/extensions/xep-0440.html
• XEP-0474: SASL SCRAM Downgrade Protection: https://xmpp.org/extensions/xep-0474.html
• XEP-0480: SASL Upgrade Tasks: https://xmpp.org/extensions/xep-0480.html

Little details, to know easily:

• tls-unique for TLS =< 1.2 (RFC5929)
• tls-server-end-point (RFC5929)
• tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, Channel Binding is the solution:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

---

SCRAM-SHA-1(-PLUS):

• RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 // July 2010
• RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core: https://tools.ietf.org/html/rfc6120 // March 2011

SCRAM-SHA-256(-PLUS):

• RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677 // 2015-11-02
• RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange: https://tools.ietf.org/html/rfc8600 // 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

• https://tools.ietf.org/html/draft-melnikov-scram-bis

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051 // August 2021

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803 // July 2010

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804 // March 2016

JMAP:

• RFC8621: The JSON Meta Application Protocol (JMAP) for Mail: https://tools.ietf.org/html/rfc8621 // August 2019

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

SASL2:

• Extensible Simple Authentication and Security Layer (SASL): https://tools.ietf.org/html/draft-melnikov-sasl2

---

Article: Convert old unsecured MD5 passwords to SCRAM-SHA-256 with PostgreSQL: https://info.crunchydata.com/blog/how-to-upgrade-postgresql-passwords-to-scram

Since PostgreSQL 10, MD5 -> SCRAM-SHA-256:
SCRAM-SHA-256 has been added in PostgreSQL 10
SCRAM-SHA-256-PLUS variant (with TLS Binding) has been added in PostgreSQL 13
SCRAM-SHA-256 is selected by default in PostgreSQL 14

• 10: https://www.postgresql.org/docs/10/auth-methods.html | https://www.postgresql.org/about/news/postgresql-10-released-1786/
• 11: https://www.postgresql.org/docs/11/auth-password.html
• 12: https://www.postgresql.org/docs/12/auth-password.html
• 13: https://www.postgresql.org/docs/13/auth-password.html | https://www.postgresql.org/about/news/postgresql-13-released-2077/
• 14: https://www.postgresql.org/docs/14/auth-password.html | https://www.postgresql.org/about/news/postgresql-14-released-2318/ | https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/how-to-securely-authenticate-with-scram-in-postgres-13/ba-p/1548319

---

SCRAM-SHA-1(-PLUS) and SCRAM-SHA-256(-PLUS):

• OnGres SCRAM 3.0 - Salted Challenge Response Authentication Mechanism (SCRAM) - Java Implementation: https://github.com/ongres/scram
• Tigase XMPP Server 8.0.0 (XMPP server): https://docs.tigase.net/tigase-server/8.0.0/Administration_Guide/html/
• Gajim 1.2.x (XMPP client): https://gajim.org/
• nbxmpp 2.x, Python library (XMPP library): https://dev.gajim.org/gajim/python-nbxmpp/
• Prosody IM 0.12 (XMPP server): https://hg.prosody.im/0.12/rev/60b445183d84 + https://hg.prosody.im/0.12/rev/e458578ddfd3 | https://hg.prosody.im/0.12/rev/c0d221b0c94c + https://hg.prosody.im/0.12/rev/1bfd238e05ad | https://prosody.im/doc/release/0.12.0 | https://prosody.im/
• Prosody IM Trunk (XMPP server): https://hg.prosody.im/trunk/rev/60b445183d84 + https://hg.prosody.im/trunk/rev/e458578ddfd3 | https://hg.prosody.im/trunk/rev/c0d221b0c94c + https://hg.prosody.im/trunk/rev/1bfd238e05ad | https://hg.prosody.im/trunk/rev/29685403be32 + https://hg.prosody.im/trunk/rev/78f874441e21 | https://prosody.im/
• GNU SASL 1.10.0 (Libgsasl): https://www.gnu.org/software/gsasl/
• aiosasl: https://github.com/horazont/aiosasl
• Mellium SASL: https://github.com/mellium/sasl
• Mellium XMPP (XMPP library): https://github.com/mellium/xmpp
• xmpp-rs (XMPP library): https://gitlab.com/xmpp-rs/xmpp-rs
• Multipurpose XMPP-Webhook (Built for DevOps Alerts): https://github.com/tmsmr/xmpp-webhook
• Stanza (XMPP library): https://github.com/legastero/stanza (https://github.com/legastero/stanza/issues/295 "SCRAM-SHA-256 is supported now. -PLUS is too, technically, but BOSH/WebSocket don't provide channel binding info. It'll be there once TCP/TLS support is added.")
• Exim (Mail server): https://bugs.exim.org/show_bug.cgi?id=2349 // Exim uses GNU SASL
• indimail-mta (qmail fork with IPV6, TLS, DANE, DKIM, SRS2, daemontools, qmailanalog, mess822, & ucspi-tcp): https://github.com/indimail/indimail-mta (with gsasl)
• Rock-solid and complete codec for IMAP: https://github.com/duesee/imap-codec

SCRAM-SHA-1 and SCRAM-SHA-256:

• Thunderbird 71 (XMPP client): https://thunderbird.net/ // -PLUS: https://bugzilla.mozilla.org/show_bug.cgi?id=563276
• Mox: modern full-featured open source secure mail server for low-maintenance self-hosted email: https://github.com/mjl-/mox
• mpop (POP3 client): https://marlam.de/mpop/
• msmtp (SMTP client): https://marlam.de/msmtp/
• Tigase Beagle IM (XMPP client): https://beagle.im/
• Tigase Siskin IM (XMPP client): https://siskin.im/
• TigaseSwift - XMPP library for Swift (XMPP library): https://github.com/tigase/tigase-swift
• UWPX (XMPP client): https://github.com/UWPX/UWPX-Client
• Dovecot 2.3.10 (Mail server): https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ + https://dovecot.org/pipermail/dovecot-news/2020-March/000432.html
• Postfix with Dovecot SASL: https://postfix.org/
• PostfixAdmin with Postfix and Dovecot SASL: https://github.com/postfixadmin
• MySQL 8.0.23: https://dev.mysql.com/doc/refman/8.0/en/pluggable-authentication-system-variables.html#sysvar_authentication_ldap_sasl_auth_method_name
• The MongoDB Database: https://github.com/mongodb/mongo
• MongoDB 4.0: https://docs.mongodb.com/manual/core/security-scram/ + https://www.mongodb.com/blog/post/exciting-new-security-features-in-mongodb-40 + https://www.mongodb.com/docs/manual/core/security-scram/ + https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#scram-sha-1 + https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#scram-sha-256
• PyMongo 3.7: https://api.mongodb.com/python/3.7.0/examples/authentication.html + https://api.mongodb.com/python/3.7.0/api/pymongo/database.html
• MongoDB for the XP Framework: https://github.com/xp-forge/mongodb
• The Java driver for MongoDB: https://github.com/mongodb/mongo-java-driver
• The MongoDB C Driver (libmongoc): https://mongoc.org/
• Percona Server for MongoDB: https://github.com/percona/percona-server-mongodb
• RED HAT AMQ: https://access.redhat.com/documentation/en-us/red_hat_amq/7.2/html-single/using_the_amq_jms_client/index
• Stanza (XMPP library): https://github.com/legastero/stanza
• Rust SASL: https://gitlab.com/lumi/sasl-rs + https://docs.rs/sasl/
• Vert.x based SCRAM service: https://github.com/edipermadi/scram-service
• OnGres SCRAM - Salted Challenge Response Authentication Mechanism (SCRAM) - Java Implementation: https://github.com/ongres/scram
• TiDB: an open-source, cloud-native, distributed, MySQL-Compatible database for elastic scale and real-time analytics: https://github.com/pingcap/tidb
• Apache Qpid: https://qpid.apache.org/
• Apache Qpid Broker-J: https://github.com/apache/qpid-broker-j
• Apache Qpid JMS AMQP 0-x: https://github.com/apache/qpid-jms-amqp-0-x + https://github.com/apache/qpid-jms-amqp-0-x/tree/main/client/src/main/java/org/apache/qpid/client/security/scram
• Apache Gora: https://github.com/apache/gora
• Lightweight XMPP client library written in Dart: https://github.com/vukoye/xmpp_dart
• Lightweight XMPP client library written in Dart: https://github.com/slashdigital/xmpp_dart

SCRAM-SHA-256(-PLUS):

• PostgreSQL 13: https://www.postgresql.org/docs/13/sasl-authentication.html + https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/how-to-securely-authenticate-with-scram-in-postgres-13/ba-p/1548319
• Native PostgreSQL driver for the Rust programming language: https://github.com/sfackler/rust-postgres
• Npgsql is the .NET data provider for PostgreSQL: https://www.npgsql.org/ + https://github.com/npgsql/npgsql
• A postgres driver for crystal: https://github.com/will/crystal-pg

SCRAM-SHA-256:

• IRCv3: https://ircv3.net/docs/sasl-mechs
• AdiIRC: https://www.adiirc.com/
• Swirc: https://www.nifty-networks.net/swirc/
• IRCCloud: https://www.irccloud.com/
• CoreIRC: https://play.google.com/store/apps/details?id=co.aureolin.coreirc
• Limnoria: https://github.com/ProgVal/Limnoria
• Rust SCRAM: https://github.com/tomprogrammer/scram
• SASL-SCRAM-SHA256: https://github.com/PhysoTronic/SASL-SCRAM-SHA256
• Postgres driver written in pure Zig: https://github.com/star-tek-mb/pgz
• PostgreSQL 10: https://www.postgresql.org/docs/10/sasl-authentication.html
• Erlang PostgreSQL client library: https://github.com/epgsql/epgsql
• Postgresql JDBC Driver: https://github.com/pgjdbc/pgjdbc + https://jdbc.postgresql.org/
• PostgreSQL driver and toolkit for Go: https://github.com/jackc/pgx
• PostgreSQL driver for Elixir: https://github.com/elixir-ecto/postgrex
• A PostgreSQL metric exporter for Prometheus: https://github.com/prometheus-community/postgres_exporter
• Puppet module for managing PostgreSQL: https://github.com/puppetlabs/puppetlabs-postgresql
• Pgpool-II 4.0.0: https://www.pgpool.net/ + https://www.pgpool.net/docs/40/en/html/auth-methods.html + https://b-peng.blogspot.com/2020/09/how-to-configure-scram-and-md5.html
• pgpoolAdmin 4.0.0: https://www.pgpool.net/
• YugabyteDB 2.5: https://github.com/yugabyte/yugabyte-db + https://blog.yugabyte.com/whats-new-in-yugabytedb-2-5-enterprise-grade-security-features/ + https://docs.yugabyte.com/latest/secure/authentication/password-authentication/ + https://dev.to/yugabyte/enabling-pgaudit-pgcrypto-and-scram-sha-256-in-distributed-sql-3kjl
• Cassandra security authentication plug-in based on SCRAM-SHA256 algorithm: https://github.com/johnyannj/cassandra-secure-plugin
• This is a simple program to generate password hashes using SCRAM-SHA-256 for Postgres (supported after version 10): https://github.com/DenisMedeirosBBD/PostgresSCRAM256PasswordGenerator
• A password generator for PostgreSQL to encrypt it with SCRAM-SHA-256 method: https://github.com/supercaracal/scram-sha-256
• connectanum-dart: https://github.com/konsultaner/connectanum-dart
• The Web Application Messaging Protocol: https://wamp-proto.org/ + https://github.com/wamp-proto/wamp-proto
• High performance reactive SQL Client written in Java: https://github.com/eclipse-vertx/vertx-sql-client + https://vertx.io/docs/vertx-pg-client/java/
• Okapi: https://github.com/folio-org/okapi
• Lightweight FOLIO module development library for Vert.x that supports OpenAPI: https://github.com/folio-org/folio-vertx-lib
• Vault: A tool for secrets management, encryption as a service, and privileged access management: https://github.com/hashicorp/vault
• EdgeDB: A next-generation graph-relational database: https://edgedb.com/ + https://github.com/edgedb
• edgedb-js: The official TypeScript/JS client library and query builder for EdgeDB: https://github.com/edgedb/edgedb-js
• edgedb-ui: The home of EdgeDB UI and all related shared UI components: https://github.com/edgedb/edgedb-ui
• edgedb-python: The official Python client library for EdgeDB: https://github.com/edgedb/edgedb-python
• edgedb-cli: The EdgeDB CLI: https://github.com/edgedb/edgedb-cli
• imapclient: An easy-to-use, Pythonic and complete IMAP client library: https://github.com/mjs/imapclient

SCRAM-SHA-256 and SCRAM-SHA-512:

• Apache ActiveMQ Artemis: https://github.com/apache/activemq-artemis + https://activemq.apache.org/components/artemis/documentation/latest/security.html + https://github.com/apache/activemq-artemis/tree/main/examples/protocols/amqp/sasl-scram + https://issues.apache.org/jira/browse/ARTEMIS-3106
• Apache Kafka: https://github.com/apache/kafka + https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_scram.html + https://cwiki.apache.org/confluence/display/KAFKA/KIP-84%3A+Support+SASL+SCRAM+mechanisms + https://issues.apache.org/jira/browse/KAFKA-3751
• CockroachDB: The open source, cloud-native distributed SQL database: https://github.com/cockroachdb/cockroach
• CockroachDB with pre-generated Go code: https://github.com/cockroachdb/cockroach-gen
• Sarama is a Go library for Apache Kafka: https://github.com/Shopify/sarama
• aiokafka: https://github.com/aio-libs/aiokafka
• Python client for Apache Kafka: https://github.com/dpkp/kafka-python
• Alternate Kafka Broker implementation: https://github.com/knative-sandbox/eventing-kafka-broker
• Kafka integrations with Knative Eventing: https://github.com/knative-sandbox/eventing-kafka
• The plugin-driven server agent for collecting & reporting metrics: https://github.com/influxdata/telegraf
• Sarama is a Go library for Apache Kafka: https://github.com/Shopify/sarama
• Strimzi canary: https://github.com/strimzi/strimzi-canary
• KEDA: a Kubernetes-based Event Driven Autoscaling component: https://github.com/kedacore/keda
• Apache Kafka running on Kubernetes: https://github.com/strimzi/strimzi-kafka-operator
• The Apache Kafka C/C++ library: https://github.com/edenhill/librdkafka
• CNCF Jaeger: a Distributed Tracing Platform: https://github.com/jaegertracing/jaeger + https://www.jaegertracing.io/
• OpenTelemetry Collector: https://github.com/open-telemetry/opentelemetry-collector
• Haystack: https://project-haystack.org/doc/Auth
• ForgeRock Directory Services (OpenDJ/OpenDS): https://backstage.forgerock.com/knowledge/kb/article/a44757687 + https://backstage.forgerock.com/docs/ds/7/release-notes/whats-new.html + https://backstage.forgerock.com/docs/ds/7/configref/subcommands-create-password-storage-scheme.html + https://backstage.forgerock.com/docs/ds/7/ldap-reference/standards.html + https://backstage.forgerock.com/search/?q=scram + https://bugster.forgerock.org/jira/browse/OPENDJ-6435 + ...
• Sarama, a Go library for Apache Kafka: https://github.com/IBM/sarama

SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384, SCRAM-SHA-512 and SCRAM-SHA3-512:

• The PHP SASL2 Authentification Library: https://github.com/fabiang/sasl

SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS), SCRAM-SHA-512(-PLUS) and SCRAM-SHA3-512(-PLUS):

• Salted Challenge Response Authentication Mechanism [SCRAM-SHA-1(-PLUS) SCRAM-SHA-224 SCRAM-SHA-256(-PLUS) SCRAM-SHA-384 SCRAM-SHA-512(-PLUS) SCRAM-SHA3-512(-PLUS)] (scram.nim): https://github.com/ba0f3/scram.nim

SCRAM-SHA-1, SCRAM-SHA-256, SCRAM-SHA-512 and SCRAM-SHA3-512:

• QXmpp (XMPP library): https://github.com/qxmpp-project/qxmpp // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• KDE Kaidan (XMPP client): https://www.kaidan.im/ // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• ShmoNG (Shmoose Next Generattion): A XMPP Client for Sailfish OS: https://github.com/geobra/shmong
• SnappyMail (Webmail) : https://github.com/the-djmaze/snappymail + https://snappymail.eu/

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-512(-PLUS) and SCRAM-SHA3-512(-PLUS):

• Python implementation of the SCRAM protocol (scramp): https://github.com/tlocke/scramp
• Jackal (XMPP server): https://github.com/ortuman/jackal

SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512:

• SquirelMail (Webmail): https://github.com/RealityRipple/squirrelmail
• A simple, lightweight C library for writing XMPP clients (libstrophe) 0.10.0 (XMPP library): https://github.com/strophe/libstrophe
• Go implementation of RFC-5802 Salted Challenge Response Authentication Mechanism (SCRAM): https://github.com/xdg-go/scram
• Memcached: https://github.com/couchbase/memcached
• Atheme: https://github.com/atheme/atheme
• BitBot: https://github.com/jesopo/bitbot
• UnboundID LDAP SDK for Java: https://github.com/pingidentity/ldapsdk
• ldaptive: https://github.com/vt-middleware/ldaptive
• Couchbase: https://blog.couchbase.com/improved-security-couchbase-4-5-scram-sha/ + https://docs.couchbase.com/server/current/learn/security/authentication-overview.html
• Couchbase Key-Value Engine: https://github.com/couchbase/kv_engine
  The JVM core for Couchbase SDKs: https://github.com/couchbase/couchbase-jvm-core
• Skyspark: https://www.alienfactory.co.uk/articles/skyspark-scram-over-sasl
• java-sasl-scram-sha1: https://github.com/trondn/java-sasl-scram-sha1
• passlib.hash.scram: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.scram.html
• XMPP/Jabber Library for Crystal (cr-xmpp) (XMPP library): https://github.com/naqvis/cr-xmpp
• Java implementation of the SCRAM SASL for both server and client (scram-sasl): https://github.com/ogrebgr/scram-sasl
• Sharp.Xmpp.Client: https://github.com/liangdefeng/Sharp.Xmpp.Client
• DataEnter CryptoFilter - The S/MIME Gateway: https://www.dataenter.com/doc/cryptofilter.htm
• DataEnter POPBeamer - The Mail Collector: https://www.dataenter.com/doc/popbeam.htm
• DataEnter SMTPBeamer - The Mail Server: https://www.dataenter.com/doc/smtpbeam.htm
• DataEnter XWall - The Mail Filter: https://www.dataenter.com/doc/xwall.htm
• moxxmpp: A pure-Dart XMPP library: https://github.com/PapaTutuWawa/moxxmpp
• Moxxy: An experiment in building a better XMPP client. This time using Flutter: https://github.com/Polynomdivision/moxxyv2
• Authen::SASL::SCRAM: https://metacpan.org/pod/Authen::SASL::SCRAM + https://github.com/ehuelsmann/authen-sasl-scram
• Apache Qpid JMS: https://github.com/apache/qpid-jms + https://github.com/apache/qpid-jms/tree/main/qpid-jms-client/src/main/resources/META-INF/services/org/apache/qpid/jms/sasl
• Apache Qpid ProtonJ2: https://github.com/apache/qpid-protonj2 + https://github.com/apache/qpid-protonj2/tree/main/protonj2/src/main/java/org/apache/qpid/protonj2/engine/sasl/client
• Apache Qpid Proton DotNet: https://github.com/apache/qpid-proton-dotnet + https://github.com/apache/qpid-proton-dotnet/tree/main/src/Proton/Engine/Sasl/Client

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS) and SCRAM-SHA-512(-PLUS):

• Gajim 1.4.x (XMPP client): https://gajim.org/
• nbxmpp 3.x, Python library (XMPP library): https://dev.gajim.org/gajim/python-nbxmpp/
• Go XMPP library (From Yasuhiro Matsumoto and based on the code from Russ Cox) (XMPP library): https://github.com/xmppo/go-xmpp
• go-sendxmpp 0.7.0: https://pkg.go.dev/salsa.debian.org/mdosch/go-sendxmpp + https://pkg.go.dev/salsa.debian.org/mdosch/go-sendxmpp
• Conversations (XMPP client): https://codeberg.org/iNPUTmice/Conversations
• Cheogram (XMPP client): https://cheogram.com/
• Monocles Chat (XMPP client): https://codeberg.org/Arne/monocles_chat
• DJabberd (XMPP server): https://github.com/djabberd/DJabberd
• ProcessOne ejabberd (XMPP server): https://www.ejabberd.im/
• ProcessOne Erlang/Elixir XMPP (XMPP library): https://github.com/processone/xmpp
• CoyIM (XMPP client): https://github.com/coyim/coyim | Important: Do not use it, there is a problem with this XMPP Client
• Tigase XMPP Server 8.1.0 (XMPP server): https://docs.tigase.net/tigase-server/8.1.0/Administration_Guide/html/
• Tigase XMPP Server 8.2.x-dev (XMPP server): https://docs.tigase.net/tigase-server/master-snapshot/Administration_Guide/html/
• Tigase JaXMPP (XMPP library): https://github.com/tigase/jaxmpp
• Tigase TTS-NG: https://github.com/tigase/tigase-tts-ng
• Tigase Stork IM / Tigase Android Messenger (XMPP client): https://github.com/tigase/stork
• Isode M-Link (XMPP server): https://www.isode.com/products/m-link.html
• Isode M-Vault: https://www.isode.com/products/m-vault.html
• Isode M-Switch: https://www.isode.com/products/m-switch-x400.html
• Isode M-Box: https://www.isode.com/products/m-box.html
• libscram: https://github.com/pwithnall/libscram
• MimeKit: https://github.com/jstedfast/MimeKit + https://www.mimekit.net/docs/html/Introduction.htm
• MailKit: https://github.com/jstedfast/MailKit + https://www.mimekit.net/docs/html/Introduction.htm
• An XMPP library implemented in the Racket language: https://gitlab.com/navlost.eu/xmpp/libraries/racket/xmpp + https://docs.racket-lang.org/xmpp/
• Racket SASL: https://github.com/racket/sasl + https://docs.racket-lang.org/sasl/

SCRAM-SHA-1, SCRAM-SHA-256, SCRAM-SHA-384 and SCRAM-SHA-512:

• Strophe.js 1.6.x (XMPP library): https://github.com/strophe/strophejs
• EchoX: Lightweight XMPP client, purely written in Dart: https://github.com/vsevex/echox
• Infinispan 13.0 Server: https://infinispan.org/docs/stable/titles/server/server.html + https://github.com/infinispan

SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384 and SCRAM-SHA-512:

• Psi/Psi+ (XMPP client) with QCA: https://psi-im.org/ + https://psi-plus.com/ // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• Vacuum IM (XMPP client): https://github.com/Vacuum-IM/vacuum-im // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• eyeCU (XMPP client): https://github.com/eyecu-im/eyecu-qt // No -PLUS variants because Qt Channel binding support is missing: https://bugreports.qt.io/browse/QTBUG-77783
• Auth_SASL: https://pear.php.net/package/Auth_SASL
• Auth_SASL2: https://pear.php.net/package/Auth_SASL2
• Authen-SCRAM: https://metacpan.org/release/Authen-SCRAM + https://github.com/dagolden/Authen-SCRAM
• Fastest SCRAM's implementation for Erlang & OTP (fast_scram): https://github.com/esl/fast_scram

SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS) and SCRAM-SHA-512(-PLUS):

• Erlang Solutions Escalus: https://github.com/esl/escalus
• Erlang Solutions MongooseIM 3.7.0 (XMPP server): https://github.com/esl/MongooseIM
• Miranda NG (XMPP client): https://github.com/miranda-ng/miranda-ng
• Cyrus SASL 2.1.28 + Cyrus IMAP (Mail server): Add SCRAM-SHA-1-PLUS, SCRAM-SHA-224-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-384-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512(-PLUS) supports cyrusimap/cyrus-sasl#552 + https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html
• Postfix with Cyrus SASL: https://postfix.org/
• PostfixAdmin with Postfix and Cyrus SASL: https://github.com/postfixadmin
• Mutt (Mail client) with Cyrus SASL: https://mutt.org/
• NeoMutt (Mail client): https://neomutt.org/

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS) and SCRAM-SHA-512(-PLUS):

• Metronome IM (XMPP server): https://metronome.im/ + https://github.com/maranda/metronome
• Wocky XMPP library 2.66 (XMPP library): https://github.com/TelepathyIM/wocky
• WildFly Elytron: https://github.com/wildfly-security/wildfly-elytron (https://github.com/wildfly-security/wildfly-elytron/blob/master/mechanism/scram/src/main/java/org/wildfly/security/mechanism/scram/ScramMechanism.java)

SCRAM-SHA-1, SCRAM-SHA-256(-PLUS) and SCRAM-SHA-512(-PLUS):

• scram-rs: SASL SCRAM SHA-1 SHA-256 SHA-512: https://gitlab.com/relkom/scram-rs
• SmtpFix-rs: A small and simple synchronous Rust library/crate for mail submission to the server as a client: https://gitlab.com/relkom/smtpfix-rs

SCRAM-SHA-1(-PLUS):

• GNU SASL fork - gsasl clone to fix SCRAM-SHA1 server side: https://github.com/20centaurifux/gsasl
• Prosody IM < 0.12 (XMPP server): https://prosody.im/doc/plain_or_hashed#authenticating // SCRAM-SHA-256(-PLUS) in 0.12.
• Swift IM (XMPP client): https://swift.im/swift.html
• Stroke (XMPP library): https://swift.im/swiften.html
• XMPP Client for Sailfish OS: https://github.com/geobra/harbour-shmoose
• Ignite Realtime Smack (XMPP library): https://igniterealtime.org/projects/smack/
• pyxmpp2 (XMPP library): https://github.com/Jajcus/pyxmpp2 + https://pypi.org/project/pyxmpp2/
• XMPP library for .NET Core (XMPP library): https://github.com/ubiety/Ubiety.Xmpp.Core
• Salted Challenge and Response Authentication Mechanism library for .NET Core: https://github.com/ubiety/Ubiety.Scram.Core

SCRAM-SHA-1 and SCRAM-SHA-1-PLUS:

• Slixmpp: https://slixmpp.readthedocs.io/
• Poezio: https://poez.io/

SCRAM-SHA-1:

• Pidgin (XMPP client), Finch, and libpurple: https://pidgin.im/
• Chatty (XMPP client): https://source.puri.sm/Librem5/chatty
• Claws Mail (Mail client): IMAP only: https://www.claws-mail.org/ + https://www.thewildbeast.co.uk/claws-mail/bugzilla/buglist.cgi?quicksearch=scram
• Dovecot: https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ (Dovecot 2.3.10 has SCRAM-SHA-1 and SCRAM-SHA-256)
• Postfix with Dovecot SASL: https://postfix.org/
• PostfixAdmin with Postfix and Dovecot SASL: https://github.com/postfixadmin
• SleekXMPP: Python 2.6+/3.1+ XMPP Library: https://github.com/fritzy/SleekXMPP
• MySQL 5.7.19: https://dev.mysql.com/doc/refman/5.7/en/pluggable-authentication-system-variables.html#sysvar_authentication_ldap_sasl_auth_method_name
• PyMongo 2.8: https://api.mongodb.com/
• MongoDB 3.0: https://docs.mongodb.com/manual/release-notes/3.0-scram + https://www.mongoing.com/docs/core/security-scram-sha-1.html (MongoDB 4.0 has SCRAM-SHA-1 and SCRAM-SHA-256)
• jabberd2 (XMPP server): https://github.com/jabberd2/jabberd2
• Ignite Realtime Openfire (XMPP server): https://igniterealtime.org/projects/openfire/
• Ignite Realtime Pàdé: https://igniterealtime.org/projects/pade/
• SASL : SCRAM-SHA-1 (js-sasl-scram-sha-1): https://github.com/legastero/js-sasl-scram-sha-1
• authentication using scram (Auth-SCRAM): https://github.com/MARTIMM/Auth-SCRAM
• MatriX vNext: https://github.com/matrix-xmpp/matrix-vnext
• MatriX-JS: https://github.com/matrix-xmpp/matrix-js
• Horde (Webmail / Groupware): https://www.horde.org/ + https://github.com/horde + https://github.com/horde/Imap_Client + https://bugs.horde.org/ticket/15146
• Movim: https://movim.eu/
• Nextcloud Mail: https://nextcloud.com/ + Support strong authentication nextcloud/mail#3146 + Add horde_stringprep to support SCRAM-SHA-1 nextcloud/mail#4377
• xmpp.js (XMPP library): https://github.com/xmppjs/xmpp.js
• Pandion (XMPP client): https://github.com/pandion/pandion
• Tkabber (XMPP client): https://tkabber.jabber.ru/
• react-native-xmpp: https://www.npmjs.com/package/react-native-xmpp
• SASL::SCRAM: https://core.tcl-lang.org/tcllib/doc/trunk/embedded/md/tcllib/files/modules/sasl/scram.md
• SCRAM (Salted Challenge Response Authentication Mechanism) Implementation in Erlang (scramerl): https://github.com/erdemaksu/scramerl
• SCRAM (Salted Challenge Response Authentication Mechanism) Implementation in Go: https://github.com/erdemaksu/scram
• go-scram-sha1: https://github.com/c0nrad/go-scram-sha1
• cl-scram: https://github.com/mprelude/cl-scram
• Pontarius XMPP client library for Haskell (XMPP library): https://github.com/pontarius/pontarius-xmpp
• Artalk.Xmpp (XMPP library): https://github.com/araditc/Artalk.Xmpp
• S22.Xmpp (XMPP library): https://github.com/smiley22/S22.Xmpp
• Protocol implementation for Bosch XMPP protocols (bosch-xmpp): https://github.com/robertklep/bosch-xmpp
• ocaml-xmppl: https://codeberg.org/openEngiadina/ocaml-xmppl + https://github.com/openEngiadina/ocaml-xmppl
• Simple XMPP library in Rust: https://github.com/Florob/rust-xmpp
• The MongoDB driver for Go: https://github.com/go-mgo/mgo
• The MongoDB driver for Go: https://github.com/globalsign/mgo
• DefinitelyTyped: The repository for high quality TypeScript type definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
• Apache Qpid Dispatch: https://github.com/apache/qpid-dispatch
• Apache Qpid Proton: https://github.com/apache/qpid-proton
• Apache Qpid Proton-J: https://github.com/apache/qpid-proton-j
• Apache Hop Orchestration Platform: https://github.com/apache/hop

NOTHING:

• jabberd (XMPP server): https://github.com/mawis/jabberd
• Thunderbird (POP/IMAP/SMTP/LDAP/-PLUS): https://thunderbird.net/ // IMAP (https://bugzilla.mozilla.org/show_bug.cgi?id=1503382) + POP (https://bugzilla.mozilla.org/show_bug.cgi?id=1597102) + SMTP (https://bugzilla.mozilla.org/show_bug.cgi?id=1597103) + LDAP (https://bugzilla.mozilla.org/show_bug.cgi?id=1597106) + -PLUS (https://bugzilla.mozilla.org/show_bug.cgi?id=563276)
• PHP: https://github.com/php/php-src + https://bugs.php.net/bug.php?id=80344 + https://bugs.php.net/bug.php?id=70679
• Roundcube: https://roundcube.net/
• SOGo: https://www.sogo.nu/
• Owncloud: https://owncloud.com/
• Mutt: https://mutt.org/
• Courier: https://www.courier-mta.org/
• hMailServer: https://github.com/hmailserver/hmailserver + https://www.hmailserver.com/
• K9: https://k9mail.app/
• MailCore: https://github.com/MailCore
• Mail Framework for C Language: libetpan: https://github.com/dinhvh/libetpan
• js-sasl (saslmechanisms): https://github.com/jaredhanson/js-sasl
• Ignite Realtime Spark (XMPP client): https://igniterealtime.org/projects/spark/
• Monal (XMPP client): https://github.com/anurodhp/Monal
• Jabber-Net fork (XMPP library): https://github.com/ForNeVeR/jabber-net
• Go package for implementing XMPP clients and components (go-xmpp) (XMPP library): https://github.com/xmppo/go-xmpp-atomatt
• go-xmpp (XMPP library): https://github.com/FluuxIO/go-xmpp
• Authen-SASL: https://metacpan.org/release/Authen-SASL + https://github.com/gbarr/perl-authen-sasl
• Haskell XMPP (XMPP library): https://hackage.haskell.org/package/haskell-xmpp
• sasl-php: https://github.com/OpenPrunus/sasl-php
• RainLoop: https://github.com/RainLoop/rainloop-webmail
• Mailu: https://github.com/Mailu/Mailu
• FairEmail: https://github.com/M66B/FairEmail
• Jenkins: https://issues.jenkins.io/browse/JENKINS-60705
• MailEnable: https://www.mailenable.com/ + https://www.mailenable.com/forum/viewtopic.php?t=44162
• Symfony: https://symfony.com/
• PHPMailer: https://github.com/PHPMailer/PHPMailer
• Nextcloud Server: https://nextcloud.com/ + https://github.com/nextcloud/server
• Laravel: https://github.com/laravel/framework + SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports laravel/framework#48053
• Zend: https://github.com/zendframework
• Xmpp client written in flutter utilizing Xmpp Stone library: https://github.com/vukoye/xmpp_flutter
• nodemailer: https://github.com/nodemailer/nodemailer + https://nodemailer.com/
• nodemailer/smtp-server: https://github.com/nodemailer/smtp-server
• WildDuck Mail Server: https://github.com/nodemailer/wildduck + https://wildduck.email/

UNKNOWN:

• MDaemon Messaging Server: https://mdaemon.com/
• MDaemon Instant Messenger (MDIM): https://mdaemon.com/
• IceWarp Server Instant Messaging: https://icewarp.com/
• IceWarp Desktop Client: https://icewarp.com/
• eM Client: https://www.emclient.com/

[MarkPhubet]

Good

[wneessen]

Based on go-gomail/gomail#198 (the project is not maintained anymore), I've created wneessen/go-mail#242 for the go-mail project. The PR is currently in review and expected to be merged into main during this week.