Enabling cyrus-sasl for gssapi

Edgar Pettijohn edgar at pettijohn-web.com
Tue Dec 19 23:30:47 EST 2017


On Sat, Dec 16, 2017 at 08:42:26AM -0600, Edgar Pettijohn wrote:
> On Fri, Dec 15, 2017 at 12:21:42PM -0500, Mark Foley wrote:
> > On Fri, 15 Dec 2017 10:19:21 -0600 Dan White <dwhite at olp.net> wrote:
> > 
> > > On 12/12/17?18:19?-0500, Mark Foley wrote:
> > > >It then goes on to discuss downloading cyrus-sasl, verifying SASL is configured
> > > >in Sendmail (mine is), etc..  Are you suggesting that SASL and saslauthd are
> > > >separate things and that I can use one (SASL) without the other (saslauthd)?
> 
> Sorry, I'm coming in to the conversation late and I think I missed the
> first message.  I was just checking out the source for Slackware and it
> didn't look to me like `sendmail' is being built with sasl support at
> least not looking at the site.config.m4 provided with the distro. Take a
> look at:
> 
> http://www.sendmail.org/~ca/email/auth.html
> 
> https://dfw.mirror.rackspace.com/slackware/slackware64-current/source/n/libmilter/site.config.m4
> APPENDDEF(`conf_libmilter_ENVDEF',`-DNETINET6=1')
> APPENDDEF(`conf_libmilter_ENVDEF',`-D_FFR_WORKERS_POOL=1 -DMIN_WORKERS=4')
> APPENDDEF(`conf_libmilter_ENVDEF',`-DSM_CONF_POLL=1')
> APPENDDEF(`conf_libmilter_ENVDEF', `-DMILTER')
> APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE ')
> APPENDDEF(`confLIBDIR', `/usr/lib at LIBDIRSUFFIX@ ')
> 
> Here is the site.config.m4 stuff from the SlackBuild
> cat $CWD/site.config.m4 | sed "s, at LIBDIRSUFFIX@,$LIBDIRSUFFIX," \
>   > devtools/Site/site.config.m4
> 
> $ grep SASL devtools/Site/site.config.m4.sample                                                                                                              
> $ 
> 
> I'm not sure why one would include cyrus-sasl and not implement it with
> sendmail. My only guess would be since you have the option at install
> time not to install cyrus-sasl they don't want it to break the install
> of sendmail perhaps.
> 
> On the plus side it looks like cyrus-sasl enables `gssapi' by default in
> the configure script. However, you may want to add a line to the cyrus
> slackbuild to choose your preferred gssapi mech.
> 
> --with-gss_impl={heimdal|mit|cybersafe|seam|auto}
> 
> The default is auto and without going further down the rabbit hole I
> don't know what auto would be on Slack and it may not be what you want.
> > >
> > > saslauthd is part of Cyrus SASL, but Cyrus SASL does not require running
> > > saslauthd, and saslauthd cannot be used to perform direct SASL GSSAPI for
> > > server authentication.
> > >
> > > For documentation, consult /doc in the source, and:
> > >
> > > https://www.cyrusimap.org/sasl/
> > >
> > 
> > Dan - thanks for your response.
> > 
> > Yes, that's the exact page I've been consulting.
> > 
> > This site: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cyrus-sasl.html
> > further advises downloading and applying *REQUIRED* patches:
> > 
> > cyrus-sasl-2.1.26-fixes-3.patch
> > cyrus-sasl-2.1.26-openssl-1.1.0-1.patch
> > 
> > Do you agree? 
> > 
> > The first listed patch is described as, "various package fixes, including
> > autotools fixes, plugin fixes, security fixes, parallel build fixes, etc.", and
> > was created Aug-24-2014. 
> > 
> > The 2nd patch has no description, but patches
> > cyrus-sasl-2.1.26-orig/plugins/ntlm.c and is dated May-07-2017 It applies to
> > openssl 1.1.0 whereas I have 1.0.2k (although it's patching plugin/ntlm.c, not
> > openssl, so I'm not sure my openssl version matters).
> > 
> > Finally, if you've read this far! You wrote in a previous message:
> > 
> > > I would personally not use saslauthd in the above manner [authenticating with
> > > sendmail].  If you have a controlled environment where your clients
> > > (Thunderbird) are known to support GSSAPI negotiation over the network, then
> > > configuring Sendmail to support GSSAPI directly is secure and recommended. 
> > 
> > The "configuring Sendmail to support GSSAPI directly" is the bit that got my
> > attention.  To clarify, in order to do Sendmail and GSSAPI directly I *do* need
> > SASL, but *do not* need saslauthd, right?
> > 
> > Thanks, Mark
> > 

Disregard most of what I said.  I installed slackware as a qemu guest
which was more difficult than expected.  Most linux guests networking
works out of the box. I had to set up a dhcp server and use a tap and
bridge to get it working. Here are the steps to get it going.

1. install your preferred kerberos. I chose heimdal for this.
http://slackbuilds.org/repository/14.2/network/heimdal/

2. download the slackware official cyrus-sasl build stuff and remember
you need all of the files.
https://dfw.mirror.rackspace.com/slackware/slackware64-14.2/source/n/cyrus-sasl/

3. edit the build script
$ diff -u cyrus-sasl.SlackBuild.orig cyrus-sasl.SlackBuild
--- cyrus-sasl.SlackBuild.orig  Tue Dec 19 22:16:18 2017
+++ cyrus-sasl.SlackBuild       Tue Dec 19 22:17:42 2017
@@ -80,6 +80,8 @@
   --disable-anon \
   --without-ldap \
   --with-saslauthd \
+  --enable-gssapi \
+  --with-gss_impl=heimdal \
   --with-gdbm \
   --with-dblib=gdbm
 # How stupid that I need to specify 'sasldir' again for 'make' or else you get

4. rebuild cyrus sasl and install it
# ./cyrus-sasl.Slackbuild
# installpkg /tmp/cyrus...

5. download the slackware official sendmail build stuff
https://dfw.mirror.rackspace.com/slackware/slackware64-14.2/source/n/sendmail/
rebuild it so it picks up the new sasl and install it

6. cd /usr/share/sendmail/cf/cf
   edit sendmail-slackware-tls-sasl.mc and add GSSAPI to the
   confAUTH_MECHANISMS as well as the TRUST_AUTH_MECHANISMS and perhaps
   make other changes as needed.

7. ./Build sendmail-slackware-tls-sasl.mc
   cp sendmail-slackware-tls-sasl.cf /etc/mail && cd /etc/mail
   cp sendmail.cf sendmail.cf.orig
   cp sendmail-slackware-tls-sasl.cf sendmail.cf
   /etc/rc.d/rc.sendmail restart
   telnet localhost 25
   ehlo test.org

   and you should see GSSAPI listed next to AUTH




More information about the Cyrus-sasl mailing list