question on cyrus authentication

Erik Myllymaki erik.myllymaki at aviawest.com
Fri Jun 25 15:27:44 EDT 2004



Ken Murchison wrote:

> Erik Myllymaki wrote:
>
>>
>>
>> Sebastian Hagedorn wrote:
>>
>>> Hi,
>>>
>>> -- Erik Myllymaki <erik.myllymaki at aviawest.com> is rumored to have 
>>> mumbled on Freitag, 25. Juni 2004 7:49 Uhr -0700 regarding question 
>>> on cyrus authentication:
>>>
>>>> I have a mail server running Exim 4.21 and Cyrus 2.1.17.
>>>>
>>>> I use sasldb2 for the passwords. This requires a client that knows
>>>> CRAM-MD5.
>>>
>>>
>>>
>>>
>>> why would you say that? Most mechanisms work with sasldb ... we 
>>> don't use Exim but Sendmail, but that shouldn't be relevant.
>>>
>>>> I have Exim setup to use the same sasldb2 database for SMTP
>>>> authentication, as well.
>>>>
>>>> So far this has been fine because my clients have been *force-fed*
>>>> Thunderbird and Squirrelmail as clients and they both understand 
>>>> CRAM-MD5.
>>>>
>>>> Now, I will have 30 more users moving over to this mail server, but 
>>>> they
>>>> ALL use Outlook Express, and I know that OE does not do CRAM-MD5.
>>>> Obviously I do not want to start using local user passwords AND 
>>>> sasldb2
>>>> passwords for all these users (and more to follow). Also, I have to 
>>>> make
>>>> a decision and deploy it by July 1st.
>>>>
>>>> So, my options that I see are:
>>>>
>>>> 1.   Force them all to use Thunderbird.
>>>>
>>>> 2.   Use local user accounts and passwords for all of them and use 
>>>> TLS to
>>>> secure the PLAINTEXT logins. I already have TLS configured.
>>>
>>>
>>>
>>>
>>> You should do that anyway.
>>>
>>>> 3. *Somehow*, configure Cyrus and Exim to allow both PLAINTEXT over 
>>>> TLS
>>>> and CRAM-MD5 logins.
>>>
>>>
>>>
>>>
>> OK, I am now quite confused - just how are my users authenticating to 
>> /etc/sasldb2 ?
>>
>> [erik at mail root]# saslauthd -v
>> saslauthd 2.1.17
>> authentication mechanisms: getpwent pam rimap shadow ldap
>>
>> So no sasldb there...
>
>
> That's because shared secret mechanisms like CRAM-MD5 don't use 
> saslauthd at all, they always use an auxprop plugin like sasldb. 
> saslauthd is *only* used for plaintext verification.
>
>>
>> [erik at mail root]# cat /etc/imapd.conf
>> configdirectory: /var/imap
>> partition-default: /var/spool/imap
>> admins: root cyrus
>> sieveusehomedir: false
>> sievedir: /var/imap/sieve
>> allowanonymouslogin: no
>> hashimapspool: true
>> sasl_pwcheck_method: saslauthd
>
>                        ^^^^^^^^^^
> As Sebastian has already said, change this to 'auxprop',
> and for completeness add:
>
> auxprop_plugin: sasldb
>
...trimmed...

couldn't see the forest for the trees. Thanks, that did the trick.

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list