Commands:

-c, --client

Act as client. (default=on)

-s, --server

Act as server. (default=off)

--client-mechanisms

Write name of supported client mechanisms separated by space to stdout. (default=off)

--server-mechanisms

Write name of supported server mechanisms separated by space to stdout. (default=off)

-k, --mkpasswd

Derive password. Provide --mechanism as SCRAM-SHA-1 or SCRAM-SHA-256. The required inputs are password (through --password or read from terminal) and optional inputs are iteration count (through --iteration-count, or defaulting to 65536) and salt (through --salt, or generated randomly). The output is a string of the form "{mech}count,salt,stored-key,server-key[,salted-password]" where "mech" is the mechanism, "count" is the number of times password was hashed, "salt" is the provided/generated base64-encoded salt, "stored-key" and "server-key" are the two derived and base64-encoded server-side keys. When --verbose is provided, "salted-password" will be included as the hex-encoded PBKDF2-derived password. (default=off)

Network options:

--connect=HOST[:PORT]

Connect to TCP server and negotiate on stream instead of stdin/stdout. PORT is the protocol service, or an integer denoting the port, and defaults to 143 (imap) if not specified. Also sets the --hostname default.

Generic options:

-d, --application-data

After authentication, read data from stdin and run it through the mechanism's security layer and print it base64 encoded to stdout. The default is to terminate after authentication. (default=on)

--imap

Use a IMAP-like logon procedure (client only). Also sets the --service default to 'imap'. (default=off)

--smtp

Use a SMTP-like logon procedure (client only). Also sets the --service default to 'smtp'. (default=off)

-m, --mechanism=STRING

Mechanism to use.

--no-client-first

Disallow client to send data first (client only). (default=off)

SASL mechanism options (they are prompted for when required):

-n, --anonymous-token=STRING

Token for anonymous authentication, usually mail address (ANONYMOUS only).

-a, --authentication-id=STRING

Identity of credential owner.

-z, --authorization-id=STRING Identity to request service for.

-p, --password=STRING

Password for authentication (insecure for non-testing purposes).

-r, --realm=STRING

Realm. Defaults to hostname.

--passcode=NUMBER

Passcode for authentication (SECURID only).

--service=STRING

Set the requested service name (should be a registered GSSAPI host based service name).

--hostname=STRING

Set the name of the server with the requested service.

--service-name=STRING

Set the generic server name in case of a replicated server (DIGEST-MD5 only).

--enable-cram-md5-validate

Validate CRAM-MD5 challenge and response

interactively.

(default=off)

--disable-cleartext-validate

Disable cleartext validate hook, forcing server

to prompt for password.

(default=off)

--quality-of-protection=TYPE

How application payload will be protected.

'qop-auth' means no protection, 'qop-int'

means integrity protection, 'qop-conf' means integrity and confidentialiy protection. Currently only used by DIGEST-MD5, where the default is 'qop-int'.

--iteration-count=NUMBER

Indicate PBKDF2 hash iteration count (SCRAM only). (default=`65536')

--salt=B64DATA

Indicate PBKDF2 salt as base64-encoded string (SCRAM only).

STARTTLS options:

--starttls

Force use of STARTTLS. The default is to use STARTTLS when available. (default=off)

--no-starttls

Unconditionally disable STARTTLS. (default=off)

--no-cb

Don't use channel bindings from TLS. (default=off)

--x509-ca-file=FILE

File containing one or more X.509 Certificate Authorities certificates in PEM format, used to verify the certificate received from the server. If not specified, verification uses system trust settings. If FILE is the empty string, don't fail on X.509 server certificates verification errors.

--x509-cert-file=FILE

File containing client X.509 certificate in PEM format. Used together with --x509-key-file to specify the certificate/key pair.

--x509-key-file=FILE

Private key for the client X.509 certificate in PEM format. Used together with --x509-key-file to specify the certificate/key pair.

--priority=STRING

Cipher priority string.

Other options:

--verbose

Produce verbose output. (default=off)

--quiet

Don't produce any diagnostic output. (default=off)