SASL config options in /etc/imapd.conf

Sun Jul 26 17:08:18 EDT 2015

Just a clarification, saslauthd will use only sasldb if you have started
it with the sasldb authmech (which is my case, and I'm thinking that
might be why I don't see the difference with
pwcheck_method=auxprop/auxprop_plugin=sasldb).

Best regards,

Conrad Kleinespel
conradk at conradk.com
+33 6 23 82 42 79

On Sun, Jul 26, 2015, at 10:54 PM, Conrad Kleinespel wrote:
> Hello Ellie,
> 
> I looked into this a bit further.
> 
> It seems like "sasl_pwcheck_method: saslauthd" will ask the "saslauthd"
> daemon, which in turn uses sasldb. Using "sasl_pwcheck_method: auxprop"
> with "sasl_auxprop_plugin: sasldb" seems to use sasldb too, but doesn't
> go through "saslauthd".
> 
> I'm not sure of that, but it's my current understanding.
> 
> As for how SASL understands what config values to use since they are
> prefixed with "sasl_" in the /etc/imapd.conf configuration file: it
> happens in "imap/global.c" from Cyrus IMAPd. The function
> "mysasl_config" looks for all options inside /etc/imapd.conf prefixed
> with "sasl_". This function is then passed to libsasl which does its
> thing.
> 
> Interesting reads on the subject include:
> https://cyrusimap.org/mediawiki/index.php/Cyrus_SASL#Plugins_.28Auxillary_Property.29
> https://cyrusimap.org/docs/cyrus-sasl/2.1.23/sysadmin.php
> http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
> doc/options.html (inside the Cyrus SASL repo)
> 
> I hope this helps.
> 
> Best regards,
> 
> Conrad Kleinespel
> conradk at conradk.com
> +33 6 23 82 42 79
> 
> On Mon, Jul 20, 2015, at 02:30 AM, ellie timoney wrote:
> > > - Why is this commented out ? Is this meant to be uncommented at some
> > > point ?
> > 
> > Looking at git blame, that line has been commented out for as long as
> > the file has existed in the repository.  There is a comment above it
> > saying that it's commented out because it's used by libsasl, but I don't
> > understand the implications of that myself.  Maybe that it's not needed
> > in lib/imapoptions because libsasl takes care of it?  In which case I
> > guess it exists as a comment in the imapoptions file as documentation
> > that the option exists, even though it is not handled by this file
> > particularly.
> > 
> > > - Would you know if there is anything to configure manually to setup
> > > SASL authentication with saslauthd using sasldb ?
> > 
> > I noticed in the "Running a basic server" document you wrote that you
> > were using:
> > 
> > > sasl_pwcheck_method: saslauthd
> > 
> > Which is interesting because I had trouble getting that working when I
> > tried it (for reasons that ended up being unrelated, I think, but I
> > didn't try it again to verify).  I have my VM's configured with this,
> > based I think on the config/docs shipped with debian's cyrus-imapd
> > package:
> > 
> > > sasl_pwcheck_method: auxprop
> > > sasl_auxprop_plugin: sasldb
> > 
> > I'm not sure what the difference is myself, just that this seemed to
> > work (though I have not touched virtual domains yet).
> > 
> > I also see you're using:
> > 
> > > virtdomains: yes
> > 
> > There was a thread started by Willem Offermans on info-cyrus last week
> > asking about an issue with virtual domains, in which Bron suggested
> > instead using:
> > 
> > > virtdomains: userid
> > 
> > I don't know if it will help, but if you haven't already maybe give that
> > a try too?
> > 
> > On Mon, Jul 20, 2015, at 01:19 AM, Conrad Kleinespel wrote:
> > > Hello everyone,
> > > 
> > > After struggling a lot to try and get SASL authentication to work for
> > > users with a domain name (eg conradk at conradk.com), I have noticed that
> > > the "sasl_pwcheck_method" recommended in the documentation seems to be
> > > commented out of the Cyrus code.
> > > 
> > > See here for the commented out option:
> > > https://git.cyrus.foundation/diffusion/I/browse/master/lib/imapoptions;690587fd545c291f2f52e2e3a14c8d4b6faad146$1600
> > > 
> > > I have 2 questions:
> > > - Why is this commented out ? Is this meant to be uncommented at some
> > > point ?
> > > - Would you know if there is anything to configure manually to setup
> > > SASL authentication with saslauthd using sasldb ?
> > > 
> > > Thanks a lot for your help ! :-)
> > > 
> > > Best regards,
> > > 
> > > Conrad Kleinespel
> > > conradk at conradk.com
> > > +33 6 23 82 42 79