SASL

When you enable SASL users can authenticate against services early in the client handshake, before the client is fully online. This has a number of benefits:
 * It is a universal way to identify to services. No need to /NS IDENTIFY, /MSG NickServ IDENTIFY, or whatever the command may be with services package XYZ.
 * Similarly, if services disconnect and come back later, there's no need to re-identify via /NS IDENTIFY.
 * Because it happens early in the IRC handshake you receive the proper vhost and modes. For instance, you can safely (auto)join registered only (+R) channels.
 * If the server is under attack and the Connthrottle protection is activated then SASL users are still allowed in.
 * Optionally, you can make SASL authentication mandatory. For example on a server that permits open proxies / tor. You do so via a require authentication { } block or by using soft bans.
 * IRCOps can ban users by their services account with eg, see Extended server bans.

Step 1: enable in services
First, you need to enable SASL in your services package.

For example, in anope you need to edit your modules.conf (or modules.example.conf) so it shows: /* * m_sasl * * Some IRCds allow "SASL" authentication to let users identify to Services * during the IRCd user registration process. If this module is loaded, Services will allow * authenticating users through this mechanism. Supported mechanisms are: * PLAIN, EXTERNAL. */ module { name = "m_sasl" }

In anope 2.0.6 (2017-12-11) and newer the SASL module is already loaded by default.

Step 2: enable in UnrealIRCd
Then, in UnrealIRCd you have to set the SASL server to your services server, like this: set { sasl-server services.my.net; };

UnrealIRCd also has auto-detection which works with certain services packages (such as anope). In that case setting set::sasl-server is unnecessary, but you could set it anyway just to be sure.

How to verify SASL is enabled
You can verify if SASL is available on a server by issuing the command 'CAP LS'. Usually you will need to use '/quote CAP LS' and not all clients (such as irssi) may show the output: [12:44:28] -> Server: CAP LS - [12:44:28] CAP LS unrealircd.org/plaintext-policy=user=allow,oper=warn,server=warn unrealircd.org/link-security=2 extended-join chghost cap-notify userhost-in-names multi-prefix away-notify account-notify sasl tls - In this example sasl is listed as the 2nd last parameter. This means SASL is available on this server.

If sasl is missing in CAP LS then it could be one of these problems:
 * SASL is not enabled in the services package
 * The services server is not linked (they are offline)
 * SASL is not enabled in the IRC server

Again, if you see no output at all for CAP LS then your client is intercepting the output. Try a different client or a nc or telnet session to the IRC port and issue an CAP LS command.

Enabling SASL on the client
NOTE: It is recommended that you use an SSL/TLS connection to the server, if it is supported, so your traffic and login credentials are encrypted.

mIRC

 * File -> Select Server
 * Connect -> Servers: select the server you want to add your SASL to and click Edit (or create a new server)
 * In Login Method you select SASL (/CAP)
 * In Password you type the password for your account.

irssi

 * See https://wiki.archlinux.org/index.php/Irssi#Authenticating_with_SASL