Solved: RE: Configuring Cyrus IMAP for multiple domains (virtdomains problem)

ogjunk-cyrus at yahoo.com ogjunk-cyrus at yahoo.com
Tue May 17 17:13:53 EDT 2005 

Here is my solution (plain text password passing only.....hm):

1. /etc/imapd.conf:

   sasl_pwcheck_method: auxprop   # NOT saslauthd
   sasl_mech_list: PLAIN
   allowplaintext: yes

2. service saslauthd stop         # saslauthd is not needed 

3. /etc/pam.d/imap:

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
#account   required     /lib/security/pam_stack.so service=system-auth
## the account line would require a real system/UNIX account
## the auth line lets me create "virtual users"

4. create users / passwords in sasldb2:

# saslpasswd2 -c feedback
Password:
Again (for verification):

# sasldblistusers2
feedback at localhost.localdomain: userPassword

5. test username / password:

# /usr/lib/cyrus-imapd/imtest -a feedback -w PASSWORDHERE  localhost
S: * OK localhost.localdomain Cyrus IMAP4
v2.2.6-Invoca-RPM-2.2.6-2.FC3.6 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
STARTTLS LISTEXT LIST-SUBSCRIBED X-NETSCAPES: C01 OK Completed
C: L01 LOGIN feedback {12}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
C: Q01 LOGOUT
Connection closed.



So that works without actually having "feedback" system user:

# finger feedback
finger: feedback: no such user.


Now ... this uses plain-text passwords, from what I understand.  I
assume that refers to how they are stored in /etc/sasldb2 - Oh, yes,
"strings /etc/sasldb2" shows them all very clearly! :(((

Hm, how does one go about encrypting that...

Thanks,
Otis


--- Michael King <mking at webinternational.net> wrote:

> PAM has always confused me, but I recently had some issues with it,
> myself.
> 
> I think you're supposed to do it the other way around - configure
> SASL to
> use PAM - but that won't work unless you have a mechanism set up
> (like
> mysql, etc) in PAM.
> 
> If the logins are just stored in SASL, why use PAM at all?
> 
> 
> Michael King
> Systems Administrator
> Web International, Inc.
> www.webinternational.net
> 
> > -----Original Message-----
> > From: owner-info-cyrus at lists.andrew.cmu.edu [mailto:owner-info-
> > cyrus at lists.andrew.cmu.edu] On Behalf Of ogjunk-cyrus at yahoo.com
> > Sent: Tuesday, May 17, 2005 2:54 PM
> > To: info-cyrus at lists.andrew.cmu.edu
> > Subject: Re: Configuring Cyrus IMAP for multiple domains
> (virtdomains
> > problem)
> > 
> > Hello,
> > 
> > My authentication problem is in the saslauthd -> PAM part.  I think
> I
> > need to configure PAM to use SASL and /etc/sasldb2 file to
> authenticate
> > users.  It look like it is currently checking for UNIX username /
> pass:
> > 
> > May 17 15:48:13 localhost unix_chkpwd[28032]: check pass; user
> unknown
> > May 17 15:48:13 localhost imap(pam_unix)[28018]: authentication
> > failure; logname= uid=0 euid=0 tty= ruser= rhost=
> > May 17 15:48:15 localhost saslauthd[28018]: DEBUG: auth_pam:
> > pam_authenticate failed: Authentication failure
> > May 17 15:48:15 localhost saslauthd[28018]: do_auth         : auth
> > failure: [user=feedback] [service=imap] [realm=my-domain.com]
> > [mech=pam] [reason=PAM auth error]
> > 
> > 
> > My /etc/pam.d/imap file looks like this:
> > 
> > # cat /etc/pam.d/imap
> > #%PAM-1.0
> > auth       required     /lib/security/pam_stack.so
> service=system-auth
> > account    required     /lib/security/pam_stack.so
> service=system-auth
> > 
> > I looked at /lib/security/pam_*.so shared libs, but didn't see
> anything
> > with *sasl* in the name.
> > 
> > How should I configure PAM to use SASL and /etc/sasldb2?  I think
> that
> > is what I need to do.
> > 
> > 
> > Thanks!
> > 
> > Otis
> > P.S.
> > Example of OK when UNIX account exists, and NO when it doesn't:
> > 
> > # man /usr/sbin/testsaslauthd
> > # /usr/sbin/testsaslauthd -u feedback -p XXX
> > 0: OK "Success."
> > 
> > # userdel feedback
> > 
> > # /usr/sbin/testsaslauthd -u feedback -p XXX
> > 0: NO "authentication failed"
> > 
> > 
> > --- ogjunk-cyrus at yahoo.com wrote:
> > > Hello,
> > >
> > > (I think this message got pushed down by the recent list spam, so
> I'm
> > > resending it, hoping it will catch somebody's attention)
> > >
> > > I'm trying to configure Cyrus IMAP (cyrus-imapd-2.2.6-2.FC3.6 -
> > > Fedora
> > > Code 3 package) to serve multiple domains.  I have it accept
> email
> > > from
> > > Postfix when I don't use multiple (virtual) domains, but not with
> > > "virtdomains: yes" in /etc/imapd.conf.
> > >
> > > Here is what I have in /etc/imapd.conf:
> > >
> > > ... <standard stuff taken out> ...
> > > sasl_pwcheck_method: saslauthd
> > > sasl_mech_list: PLAIN
> > > tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > > tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
> > > tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
> > >
> > > # OG: added
> > > virtdomains: on
> > > defaultdomain: my-domain.com
> > > unixhierarchysep: 1
> > > loginrealms: localdomain my-domain.com
> > >
> > > If I comment out the last 4 lines, then I _can_ create new
> mailboxes
> > > with cyradm (e.g. createmailbox user.otis.Trash).  However, I
> need
> > > this
> > > server to serve email for multiple domains, so I need to be able
> to
> > > do
> > > "cm user/otis at my-domain.com")
> > >
> > > I've followed this:
> > >
> > >
> http://asg.web.cmu.edu/cyrus/download/imapd/install-virtdomains.html
> > >
> > > But that results in this:
> > >
> > >   cyradm -u cyrus localhost 143
> > >   IMAP Password:
> > >   localhost.localdomain> cm user.otis at my-domain.com
> > >   createmailbox: Invalid mailbox name
> > >
> > > I also tried this:
> > >
> > >   localhost.localdomain> cm user/otis at my-domain.com
> > >   createmailbox: Invalid mailbox name
> > >
> > > I presume that's because Cyrus doesn't know about
> "my-domain.com".
> > > How
> > > do I tell it about "my-domain.com"?
> > >
> > > I also read this:
> > >   http://www.phildev.net/cyrus/cyrus_sasl.html
> > >
> > > But that had a few errors, so I gave up around half of the job.
> > > Perhaps Cyrus and cyradm would know about "my-domain.com" if I
> called
> > > cyradm like this:
> > >
> > >   cyradm -u cyrus my-domain.com 143
> > >
> > > ?
> > > I tried that, but my-domain.com domain is not really configured
> yet
> > > (DNS points to a different, old machine), so I can't really try
> that.
> > >
> > > Any help would be appreciated.
> > >
> > > Thanks,
> > > Otis
> > > P.S.
> > > Similar thread is here, but this doesn't seem to work for me:
> > >
> > http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-
> > cyrus&msg=35013
> > >
> > > ---
> > > Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> > > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> > > List Archives/Info:
> http://asg.web.cmu.edu/cyrus/mailing-list.html
> > >
> > 
> > ---
> > Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> > Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> 
> 
> 
> 


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list