Horde/IMP authentication to Cyrus via client certificates?

pascal at linuxorable.net pascal at linuxorable.net
Thu Feb 17 22:16:14 EST 2005


Quoting "Kevin P. Fleming" <kpfleming at starnetworks.us>:

> Edward Rudd wrote:
>
>> This is really a Cyrus-SASL topic. as Cyrus IMAP doesn't really care how
>> the user gets authenticated, only that the SASL layer authenticates the
>> users.  So client certificate authentication would have to be added as a
>> SASL authentication module.
>
> It's never been clear to me where IMAP stops and SASL starts as it 
> relates to this... but it's my impression that Cyrus SASL has nothing 
> at all to do with SSL/TLS, and only handles the authentication 
> details after Cyrus IMAP has collected them.
>
SSL/TLS starts before authentication: you can see in logs the SARTTLS command
before authentication:

cyrus/imapd[15511]: starttls: TLSv1 with cipher AES256-SHA (256/256 
bits new) no
authentication
cyrus/imapd[15511]: login: localhost[127.0.0.1] pascal plaintext+TLS

The "no authentication" at the end of the first line is due to client 
certicats
are not allowed with webmail (c-client library doesn't support it)
But the connection has well been crypted like passwd and login.

Therefore, Cyrus collects login and passwd after TLS started.

Using TLS bitween postsfix and Horde will produce these logs:

postfix/smtpd[15609]: starting TLS engine <== TLS starts
postfix/smtpd[15609]: match_string: fast_flush_domains ~? debug_peer_list
postfix/smtpd[15609]: match_string: fast_flush_domains ~? fast_flush_domains
postfix/smtpd[15609]: watchdog_create: 0x80911c8 18000
postfix/smtpd[15609]: watchdog_stop: 0x80911c8
postfix/smtpd[15609]: watchdog_start: 0x80911c8
postfix/smtpd[15609]: connection established <== Crypted connection is OK
[...]
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 220
euphorie.linuxorable.net ESMTP Postfix (Debian/GNU)
postfix/smtpd[15609]: watchdog_pat: 0x80911c8
postfix/smtpd[15609]: < camomile.cloud9.net[168.100.1.3]: EHLO
camomile.cloud9.net
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]:
250-euphorie.linuxorable.net
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-PIPELINING
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-SIZE 20480000
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-ETRN
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-STARTTLS
postfix/smtpd[15609]: > camomile.cloud9.net[168.100.1.3]: 250-AUTH NTLM
DIGEST-MD5 CRAM-MD5

You can see that TLS starts before the authentication commands begin (last 9
lines)

TLS crypts the connection in order the login and passwd (which represents the
authentication) are crypted too.
The mail will be crypted too until is posted to the mailbox where it is 
no more
crypted.

If this can help you...

Pascal

> I guess that means that what I want to do will actually require 
> changes in both Cyrus IMAP and SASL... time for more research :-)
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list