Mapping users (either KerberosV or TLS certs)

Dennis Davis D.H.Davis at
Thu Jul 6 07:58:02 EDT 2006

On Thu, 6 Jul 2006, Phil Pennock wrote:

> From: Phil Pennock <info-cyrus-spodhuis at>
> To: info-cyrus at
> Date: Thu, 6 Jul 2006 02:02:01 +0200
> Subject: Mapping users (either KerberosV or TLS certs)


Can't answer any of your questions, which I've deleted.  Although
I'm using Cyrus with Kerberos5 so I'll probably look at the "admin"
question sometime in the far off future...

> Here's the config; I know that keytab's not actually used with GSSAPI,
> but I leave it in as harmless

I can't find a "keytab" option in the imapd.conf manual page.
There's a srvtab option, but that applies to Kerberos4 which you
aren't using.

> -- I set $KRB5_KTNAME in the rc startup config, which works with
> Heimdal:

It will also work with MIT's Kerberos5, but see below.

> ----------------------------8< cut here >8------------------------------
> configdirectory:        /home/imap/configs
> partition-default:      /home/imap/mail
> sievedir:               /home/imap/configs/sieve
> tls_cert_file:          /etc/cyrusimapd/domus-imapserver.crt.pem
> tls_key_file:           /etc/cyrusimapd/domus-imapserver.key.pem
> tls_ca_path:            /etc/ssl/certs/
> tls_ca_file:            /usr/share/ca-certificates/globnix/globnixCA.pem
> tls_cipher_list:        ALL:!ADH:!EXP:+HIGH:+MEDIUM:!SSLv2:@STRENGTH

I use:

# Insist on "proper", rather than "mickey-mouse", ciphers.  We'll
# expect to see high (key length > 128 bits) or medium (key length
# of 128 bits) ciphers, sorted by strength.
tls_cipher_list: HIGH:MEDIUM:@STRENGTH

Is there a reason I'm probably missing for the "!SSLv2" ?  I thought
the client and server negotiated the highest strength cipher that's
mutually acceptable.  So it should all come out in the wash.  For
example pointing pine at my experimental IMAP server I usually see:

Jul  6 12:48:32 bahamontes imap[25303]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Jul  6 12:48:32 bahamontes imap[25303]: login: [] ccsdhd GSSAPI+TLS User logged in

which looks OK to me.

> admins:                 cyrus xxx-admin xxx/admin xxx/admin at REALM.TLD
> umask: 027
> hashimapspool:          yes
> allowanonymouslogin:    no
> allowplaintext:         no
> mboxlist_db:            skiplist
> seenstate_db:           flat
> unixhierarchysep:       yes
> sasl_minimum_layer:     0
> sasl_mech_list:         external gssapi digest-md5 cram-md5
> keytab:                 /etc/kerberos/tabs/imapd.keytab

See above.  I'm fairly sure there's no "keytab" option.  However you
can set "sasl_keytab" to indicate where your Kerberos5 keytab lives:
So my configuration reads:

sasl_pwcheck_method: saslauthd
sasl_mech_list: plain gssapi

# We'll set sasl_keytab, instead of starting the master process with
# a command line of the form:
# KRB5_KTNAME=/var/imap/krb5.keytab /usr/local/libexec/cyrus-imapd/master &

sasl_keytab: /var/imap/krb5.keytab

> altnamespace: yes
> userprefix: Other Users
> sharedprefix: Shared Folders
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at               Phone: +44 1225 386101

More information about the Info-cyrus mailing list