crypted password

Igor Brezac igor at ipass.net
Fri May 27 14:37:24 EDT 2005 

On Fri, 27 May 2005, carole gimenez wrote:

> Hi all,
>
> I use cyrus-imapd-2.2.10, cyrus-sasl-2.1.20 and openldap-2.2.18.
>
> I authenticate users with need of our ldap server. For that, i use saslauthd 
> daemon with the plain mechanism.
>
> Is the password user encrypted or does it pass in cleartext between 
> cyrus-imap server and ldap server?

It is passed in clear text when you use the PLAIN mech.

>
> Mail client (imaps)<==> cyrus-imap server <=> cyrus-sasl server <=> ldap
> server
>

You transport protect the password from the mail client to the cyrus-imap 
server.  Things are not protected between saslauthd and the ldap server. 
(You are OK if both saslauthd and ldap server are on the same host 
although some consider this type of setup a potential security 
vulnerability)

>
> Can somebody clear up me the ideas and explain me the mechanism?

Please read cyrus documentation: $cyrus-(imapd|sasl)-src/doc

-Igor

>
>
> Thanks for advance.
>
>
> Here the differents configuration files of cyrus-imap and cyrus-sasl:
>
> * /usr/lib/sasl2/Cyrus.conf
> pwcheck_method: saslauthd
> mech_list: plain
>
> * /etc/saslauthd.conf
> ldap_servers: ldap://127.0.0.1/ ldap://xxxxx:389/
> ldap_auth_method: custom
> ldap_bind_dn: uid=cyrus,ou=appli,dc=ups-tlse,dc=fr
> ldap_password: xxxxxx
> ldap_search_base: dc=ups-tlse,dc=fr
> #ldap_filter: cn=%u
>
> * /etc/cyrus.conf
> # standard standalone server implementation
>
> START {
> # do not delete this entry!
> recover       cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -r"
>
> # this is only necessary if using idled for IMAP IDLE
> # idled       cmd="idled"
>
> # this is useful on backend nodes of a Murder cluster
> # it causes the backend to syncronize its mailbox list with
> # the mupdate master upon startup
> # mupdatepush cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_mboxlist -m"
>
> # this is recommended if using duplicate delivery suppression
> delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3"
> # this is recommended if caching TLS sessions
> tlsprune cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune"
> }
>
> # UNIX sockets start with a slash and are put into /var/imap/socket
> # you can use a maxchild=# to limit the maximum number of forks of a service
> # you can use babysit=true and maxforkrate=# to keep tight tabs on the
> service
> # most services also accept -U (limit number of reuses) and -T (timeout)
>
> SERVICES {
> # add or remove based on preferences
> #imap         cmd="imapd" listen="imap" prefork=0
> imaplocal     cmd="imapd -C /etc/imapd-local.conf"
> listen="127.0.0.1:imap" prefork=0
> imaps         cmd="imapd -s -U 30" listen="130.120.74.17:imaps"
> prefork=0 maxchild=100
> #  pop3         cmd="pop3d" listen="pop3" prefork=0
> #  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
> sieve         cmd="timsieved" listen="sieve" prefork=0
>
> # these are only necessary if receiving/exporting usenet via NNTP
> #  nntp               cmd="nntpd" listen="nntp" prefork=0
> #  nntps              cmd="nntpd -s" listen="nntps" prefork=0
>
> # at least one LMTP is required for delivery
> #  lmtp               cmd="lmtpd" listen="lmtp" prefork=0
> lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
> maxchild=20
>
> # this is only necessary if using notifications
>  notify       cmd="notifyd" listen="/var/imap/socket/notify"
> proto="udp" prefork=1
> }
>
> EVENTS {
> # this is required
> checkpoint    cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -c"
> period=30
>
> # this is only necessary if using duplicate delivery suppression,
> # Sieve or NNTP
> # delprune    cmd="cyr_expire -E 3" at=0400
> delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3" at=0401
>
> # this is only necessary if caching TLS sessions
> tlsprune      cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune" at=0401
>
> squatter cmd="/usr/local/cyrus_imapd/cyrus/bin/squatter -r user.%" at=0401
> }
>
>
> * /etc/imapd-local.conf (for cyrus account administration)
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> maxmessagesize: 5000000
> #allowplaintext: 0
> sasl_pwcheck_method: saslauthd
> sasl_option: 1
> sasl_mech_list: plain
> sasl_auto_transition: 1
> servername: pc-systeme.cict.fr
> lmtp_downcase_rcpt: 1
> mailnotifier: log
>
>
> * /etc/imapd.conf
> configdirectory: /var/imap
> partition-default: /var/spool/imap
> #admins: cyrus
> sievedir: /var/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> maxmessagesize: 5000000
> sasl_pwcheck_method: saslauthd
> sasl_option: 1
> sasl_mech_list: plain
> sasl_auto_transition: 1
> servername: pc-systeme.cict.fr
> lmtp_downcase_rcpt: 1
> mailnotifier: log
> tls_ca_file: /usr/share/ssl/mon_AC/private/mon_AC.crt
> tls_cert_file: /usr/share/ssl/mon_AC/certs/server_signed.pem
> tls_key_file: /usr/share/ssl/mon_AC/private/server_tls.pem
>
>
>
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list