question on cyrus authentication

Ken Murchison ken at oceana.com
Fri Jun 25 15:19:12 EDT 2004


Erik Myllymaki wrote:

> 
> 
> Sebastian Hagedorn wrote:
> 
>> Hi,
>>
>> -- Erik Myllymaki <erik.myllymaki at aviawest.com> is rumored to have 
>> mumbled on Freitag, 25. Juni 2004 7:49 Uhr -0700 regarding question on 
>> cyrus authentication:
>>
>>> I have a mail server running Exim 4.21 and Cyrus 2.1.17.
>>>
>>> I use sasldb2 for the passwords. This requires a client that knows
>>> CRAM-MD5.
>>
>>
>>
>> why would you say that? Most mechanisms work with sasldb ... we don't 
>> use Exim but Sendmail, but that shouldn't be relevant.
>>
>>> I have Exim setup to use the same sasldb2 database for SMTP
>>> authentication, as well.
>>>
>>> So far this has been fine because my clients have been *force-fed*
>>> Thunderbird and Squirrelmail as clients and they both understand 
>>> CRAM-MD5.
>>>
>>> Now, I will have 30 more users moving over to this mail server, but they
>>> ALL use Outlook Express, and I know that OE does not do CRAM-MD5.
>>> Obviously I do not want to start using local user passwords AND sasldb2
>>> passwords for all these users (and more to follow). Also, I have to make
>>> a decision and deploy it by July 1st.
>>>
>>> So, my options that I see are:
>>>
>>> 1.   Force them all to use Thunderbird.
>>>
>>> 2.   Use local user accounts and passwords for all of them and use 
>>> TLS to
>>> secure the PLAINTEXT logins. I already have TLS configured.
>>
>>
>>
>> You should do that anyway.
>>
>>> 3. *Somehow*, configure Cyrus and Exim to allow both PLAINTEXT over TLS
>>> and CRAM-MD5 logins.
>>
>>
>>
> OK, I am now quite confused - just how are my users authenticating to 
> /etc/sasldb2 ?
> 
> [erik at mail root]# saslauthd -v
> saslauthd 2.1.17
> authentication mechanisms: getpwent pam rimap shadow ldap
> 
> So no sasldb there...

That's because shared secret mechanisms like CRAM-MD5 don't use 
saslauthd at all, they always use an auxprop plugin like sasldb. 
saslauthd is *only* used for plaintext verification.

> 
> [erik at mail root]# cat /etc/imapd.conf
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: root cyrus
> sieveusehomedir: false
> sievedir: /var/imap/sieve
> allowanonymouslogin: no
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
                        ^^^^^^^^^^
As Sebastian has already said, change this to 'auxprop',
and for completeness add:

auxprop_plugin: sasldb

> sasl_mech_list: PLAIN LOGIN RC4-MD5 CRAM-MD5
                               ^^^^^^^^
Unless you have written/installed your own RC4-MD5 plugin, this is useless.

> lmtp_allowplaintext: true
> lmtp_downcase_rcpt: yes
> tls_cert_file: /var/imap/server.pem
> tls_ca_file: /var/imap/server.pem
> tls_key_file: /var/imap/server.pem
> unixhierarchysep:yes
> 
> And here's how saslauthd is called:
> 
> ps ax:
> .
> .
> .
> 1259 ?        S      0:00 /usr/sbin/saslauthd -m /var/run/saslauthd/mux 
> -a shadow
> .
> .
> .
> 
> 
> 
> 
> 
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> 


-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list