GSSAPI for various murder component setups

Stephen Ingram sbingram at
Thu Jun 14 20:20:29 EDT 2012

On Thu, Jun 14, 2012 at 7:05 AM, Dan White <dwhite at> wrote:
> On 06/13/12 21:02 -0700, Stephen Ingram wrote:
>> On Wed, Jun 13, 2012 at 1:23 PM, Dan White <dwhite at> wrote:
>>> The other issue is that where your systems are acting as clients (such as
>>> when a frontend server is connecting to an mupdate server), your client
>>> will need to initialize a kerberos ticket cache, and in my experience
>>> cannot use the kerberos credentials used to accept connections. Or in
>>> other
>>> words, your frontends might have an imap/ service ticket
>>> for accepting client imap connections, but then may need a separate
>>> ticket,
>>> such as cyrus/, for backend/mupdate connections. I use
>>> cronjobs, running as the cyrus user, to initialize those crendential
>>> caches.
>> This is exactly the part I'm really confused about. For murder, I see
>> connections from the frontends and backends to the mupdate server. I
>> also see connections from the frontends to the backends. The
>> connections to the mupdate server are, in a very simplistic sense, to
>> spread information about the mailboxes. I was thinking these should be
>> machine to machine connections using Kerberos service accounts.
>> However, I'm not really sure, should only the mupdate server have an
>> mupdate service principals and then the frontend clients and backend
>> clients connect to mupdate using "user" kerberos principals, or if all
>> servers involved have service principals. Also when proxying a mail
>> connection from frontend to backend, how should this be done? And then
>> there is replication....
> Every service listed within your SERVICES section in cyrus.conf will
> potentially need it's own service principal, particularly on your backends
> and mupdate master. Your frontends may not need service principals if your
> users are not performing GSSAPI authentication.
> libsasl2 will search for for service principals starting with:
> imap/
> lmtp/
> mupdate/
> csync/
> pop/
> nntp/
> sieve/

Wouldn't the front ends need these connections worse than the backends
(assuming I'm not supporting referrals)? I'm guessing the lmtp is for
Postfix connecting to the frontend/proxy to backend to deliver the

The csync is for replication?

> when initialized during service startup. Within your imapd.conf, you can
> restrict authentication only to gssapi with:
> imap_sasl_mech_list: gssapi
> etc.
> The *test utilities (lmtptest, imtest, mupdatetest, etc.) are invaluable
> for validating the server side of your setup.
> Every server in your murder, except perhaps your replica server, will
> likely need an additional client/user principal.

Why wouldn't the replica server need a service principal since the
backend connects to it to sync?

> When proxying from the frontend to the backend, the frontend will make a
> gssapi connection to the backend regardless of the authentication method
> the client used when connecting to the frontend. If the client supports
> referrals, then the client will then make it's own connection to the
> backend using which ever authentication method it's configured to use.

But only if the backend is configured for that authentication method, no?


More information about the Info-cyrus mailing list