question on cyrus authentication
ken at oceana.com
Fri Jun 25 15:19:12 EDT 2004
Erik Myllymaki wrote:
> Sebastian Hagedorn wrote:
>> -- Erik Myllymaki <erik.myllymaki at aviawest.com> is rumored to have
>> mumbled on Freitag, 25. Juni 2004 7:49 Uhr -0700 regarding question on
>> cyrus authentication:
>>> I have a mail server running Exim 4.21 and Cyrus 2.1.17.
>>> I use sasldb2 for the passwords. This requires a client that knows
>> why would you say that? Most mechanisms work with sasldb ... we don't
>> use Exim but Sendmail, but that shouldn't be relevant.
>>> I have Exim setup to use the same sasldb2 database for SMTP
>>> authentication, as well.
>>> So far this has been fine because my clients have been *force-fed*
>>> Thunderbird and Squirrelmail as clients and they both understand
>>> Now, I will have 30 more users moving over to this mail server, but they
>>> ALL use Outlook Express, and I know that OE does not do CRAM-MD5.
>>> Obviously I do not want to start using local user passwords AND sasldb2
>>> passwords for all these users (and more to follow). Also, I have to make
>>> a decision and deploy it by July 1st.
>>> So, my options that I see are:
>>> 1. Force them all to use Thunderbird.
>>> 2. Use local user accounts and passwords for all of them and use
>>> TLS to
>>> secure the PLAINTEXT logins. I already have TLS configured.
>> You should do that anyway.
>>> 3. *Somehow*, configure Cyrus and Exim to allow both PLAINTEXT over TLS
>>> and CRAM-MD5 logins.
> OK, I am now quite confused - just how are my users authenticating to
> /etc/sasldb2 ?
> [erik at mail root]# saslauthd -v
> saslauthd 2.1.17
> authentication mechanisms: getpwent pam rimap shadow ldap
> So no sasldb there...
That's because shared secret mechanisms like CRAM-MD5 don't use
saslauthd at all, they always use an auxprop plugin like sasldb.
saslauthd is *only* used for plaintext verification.
> [erik at mail root]# cat /etc/imapd.conf
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: root cyrus
> sieveusehomedir: false
> sievedir: /var/imap/sieve
> allowanonymouslogin: no
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
As Sebastian has already said, change this to 'auxprop',
and for completeness add:
> sasl_mech_list: PLAIN LOGIN RC4-MD5 CRAM-MD5
Unless you have written/installed your own RC4-MD5 plugin, this is useless.
> lmtp_allowplaintext: true
> lmtp_downcase_rcpt: yes
> tls_cert_file: /var/imap/server.pem
> tls_ca_file: /var/imap/server.pem
> tls_key_file: /var/imap/server.pem
> And here's how saslauthd is called:
> ps ax:
> 1259 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd/mux
> -a shadow
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus