Some cyrus-sasl questions

Dan White dwhite at
Tue Sep 30 11:01:16 EDT 2014

On 09/29/14 17:44 -0500, Patrick Goetz wrote:
>Hi -
>I've been setting up some new servers and wanted to revisit and optimize
>my cyrus-sasl configuration.  I couldn't find answers to these questions
>anywhere in the documentation or online, but figured this list would
>know.  Ironically, the postfix documentation for using sasl
>( appears to be more complete
>than anything I could find on the cyrus source site.
>1. Postfix suggests that I can put the SASL configuration file in
>/etc/sasl2 instead of /usr/lib/sasl2, but I couldn't find this anywhere
>in the official  cyrus-sasl documentation.  User configurable options
>always need to go in /etc, not /usr/lib, so I just want to confirm that
>2.1.26 will look for the configuration file in /etc/sasl2

The location depends how cyrus sasl was compiled. '--with-configdir=DIR' is
used to specify the location config files will be searched for. By default,
that's /usr/lib/sasl2. Distributions may specify others. For Debian,


See ./configure --help for an explanation.

Additionally, the cyrus sasl api allows the location to be overridden using
the 'sasl_getconfpath_t' callback. See the manpage for sasl_callbacks (3).

To determine where to place a sasl config file for a particular daemon,
you'll need to consult the documentation for your distribution/OS if you're
not compiling it yourself.

To confuse matters even more, Cyrus IMAP uses the API to store
configuration data into imapd.conf, and will look for the options to be
preprended with 'sasl_', e.g. 'sasl_pwcheck_method'.

OpenLDAP does the same, but for one option only (olcSaslAuxprops).

>2. I can't find any hints about what an optimal PAM configuration file
>is if you only want to authenticate users through PAM with valid
>accounts.  Currently the /etc/pam.d/imap file is basically set up as
>    auth      required
>    account   required
>(Debian/Ubuntu add other junk via default common authentication groups
>which must be superfluous).  I don't understand why the account
>management group is needed for imap authentication.  Is it just there
>because there's no documentation on how to do this properly, so people
>are guessing?

The PAM backend for saslauthd calls 'pam_authenticate' (auth),
'pam_acct_mgmt' (account), but not 'pam_open_session' (session) or
'pam_chauthtok' (password). As far as I know, this is not documented

>3. Both cyrus and postfix use SASL.  In the past, I've run postfix in a
>chroot jail, so it had it own saslauthd daemon process.  Since chroot
>jails don't add much security, I'm jettisoning that, but presumably
>cyrus and postfix will happily use the same saslauthd daemon process?

Yes. You should not override the location of the saslauthd mux (in
/etc/default/saslauthd, on Debian), unless you are chrooting postfix. By
default, Cyrus and Postfix will use the default (at compile time) location,
by way of the libsasl2 glue library.

>Postfix requires a sasl configuration file, but I just noticed that my
>cyrus 2.3.16 install doesn't seem to have one.  Is this compile time
>default or am I just overlooking where the configuration file?  Or does
>cyrus use the SASL libraries directly, in which case I'm not sure how it
>knows to use pam.  Is there any documentation on this?

There is no default cyrus sasl config file installed for Postfix. In the
case of a missing config file, the defaults will be used (auxprop instead
of saslauthd/pam). 'saslfinger' is highly recommended for trouble shooting
Postfix/Cyrus Sasl config issues. To direct Postfix to authenticate against
PAM, you'll need to start saslauthd with the PAM backend. Then create a
Postfix sasl config file (in /etc/postfix/sasl/smtpd.conf, on Debian) which

pwcheck_method: saslauthd

And you'll want to include:

# exclude shared secret mechanisms
mech_list: plain login external gssapi


Dan White

More information about the Info-cyrus mailing list