SASL config options in /etc/imapd.conf
Conrad Kleinespel
conradk at conradk.com
Sun Jul 26 16:54:15 EDT 2015
Hello Ellie,
I looked into this a bit further.
It seems like "sasl_pwcheck_method: saslauthd" will ask the "saslauthd"
daemon, which in turn uses sasldb. Using "sasl_pwcheck_method: auxprop"
with "sasl_auxprop_plugin: sasldb" seems to use sasldb too, but doesn't
go through "saslauthd".
I'm not sure of that, but it's my current understanding.
As for how SASL understands what config values to use since they are
prefixed with "sasl_" in the /etc/imapd.conf configuration file: it
happens in "imap/global.c" from Cyrus IMAPd. The function
"mysasl_config" looks for all options inside /etc/imapd.conf prefixed
with "sasl_". This function is then passed to libsasl which does its
thing.
Interesting reads on the subject include:
https://cyrusimap.org/mediawiki/index.php/Cyrus_SASL#Plugins_.28Auxillary_Property.29
https://cyrusimap.org/docs/cyrus-sasl/2.1.23/sysadmin.php
http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
doc/options.html (inside the Cyrus SASL repo)
I hope this helps.
Best regards,
Conrad Kleinespel
conradk at conradk.com
+33 6 23 82 42 79
On Mon, Jul 20, 2015, at 02:30 AM, ellie timoney wrote:
> > - Why is this commented out ? Is this meant to be uncommented at some
> > point ?
>
> Looking at git blame, that line has been commented out for as long as
> the file has existed in the repository. There is a comment above it
> saying that it's commented out because it's used by libsasl, but I don't
> understand the implications of that myself. Maybe that it's not needed
> in lib/imapoptions because libsasl takes care of it? In which case I
> guess it exists as a comment in the imapoptions file as documentation
> that the option exists, even though it is not handled by this file
> particularly.
>
> > - Would you know if there is anything to configure manually to setup
> > SASL authentication with saslauthd using sasldb ?
>
> I noticed in the "Running a basic server" document you wrote that you
> were using:
>
> > sasl_pwcheck_method: saslauthd
>
> Which is interesting because I had trouble getting that working when I
> tried it (for reasons that ended up being unrelated, I think, but I
> didn't try it again to verify). I have my VM's configured with this,
> based I think on the config/docs shipped with debian's cyrus-imapd
> package:
>
> > sasl_pwcheck_method: auxprop
> > sasl_auxprop_plugin: sasldb
>
> I'm not sure what the difference is myself, just that this seemed to
> work (though I have not touched virtual domains yet).
>
> I also see you're using:
>
> > virtdomains: yes
>
> There was a thread started by Willem Offermans on info-cyrus last week
> asking about an issue with virtual domains, in which Bron suggested
> instead using:
>
> > virtdomains: userid
>
> I don't know if it will help, but if you haven't already maybe give that
> a try too?
>
> On Mon, Jul 20, 2015, at 01:19 AM, Conrad Kleinespel wrote:
> > Hello everyone,
> >
> > After struggling a lot to try and get SASL authentication to work for
> > users with a domain name (eg conradk at conradk.com), I have noticed that
> > the "sasl_pwcheck_method" recommended in the documentation seems to be
> > commented out of the Cyrus code.
> >
> > See here for the commented out option:
> > https://git.cyrus.foundation/diffusion/I/browse/master/lib/imapoptions;690587fd545c291f2f52e2e3a14c8d4b6faad146$1600
> >
> > I have 2 questions:
> > - Why is this commented out ? Is this meant to be uncommented at some
> > point ?
> > - Would you know if there is anything to configure manually to setup
> > SASL authentication with saslauthd using sasldb ?
> >
> > Thanks a lot for your help ! :-)
> >
> > Best regards,
> >
> > Conrad Kleinespel
> > conradk at conradk.com
> > +33 6 23 82 42 79
More information about the Cyrus-devel
mailing list