From owner-freebsd-questions@FreeBSD.ORG Mon Aug 21 06:27:58 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B71E916A4DF for ; Mon, 21 Aug 2006 06:27:58 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id C643443D46 for ; Mon, 21 Aug 2006 06:27:55 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.6/8.13.6) with ESMTP id k7L6RUkH080458; Mon, 21 Aug 2006 07:27:31 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=softfail; spf=softfail X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk k7L6RUkH080458 Message-ID: <44E9524C.7030509@infracaninophile.co.uk> Date: Mon, 21 Aug 2006 07:27:24 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.5 (X11/20060801) MIME-Version: 1.0 To: Dan Langille References: <44E8DF28.273.F89B110@dan.langille.org> In-Reply-To: <44E8DF28.273.F89B110@dan.langille.org> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigFC324C680BA0CE69B811817E" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Mon, 21 Aug 2006 07:27:51 +0100 (BST) X-Virus-Scanned: ClamAV 0.88.4/1696/Sun Aug 20 21:21:18 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING,NO_RELAYS autolearn=ham version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: setting up imap/sasl X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2006 06:27:58 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigFC324C680BA0CE69B811817E Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Dan Langille wrote: > When I run imtest, I see two problems: >=20 > 1 - I see only two AUTH=3D clauses: DIGEST-MD5 and CRAM-MD5. Shouldn't= =20 > I see one for SASL? No. SASL is the library that provides the glue between various authentication mechanisms, the authentication databases and the applications. There isn't a 'SASL' authentication mechanism as such. You're not seeing LOGIN or PLAIN here -- which suggests you've got a non-zero security strength factor set, and it seems you don't have any GSSAPI/Kerberos or SSL based authentication available, which really leaves only CRAM-MD5 or DIGEST-MD5, and CRAM-MD5 is really only there for historical reasons. > 2 - I've been unable to get authorization to work. >=20 > $ imtest -m login -a admin -u admin polo > S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=3DDIGEST-MD5=20 > AUTH=3DCRAM-MD5 SASL-IR] polo.unixathome.org Cyrus IMAP4 v2.3.7 server = [...] > I've tried various sasl_pwcheck_method options. The above is with=20 > "saslauthd". With "auxprop", it is similar, but: >=20 > Please enter your password: > C: L01 LOGIN admin {5} > S: + go ahead > C: > failure: prot layer failure 'saslauthd' handles only password style authentication. You can set it to use the standard system password stuff -- getpwent() or PAM things, but ironically that will force you to use LOGIN or PLAIN auth mechanisms with the password being sent over then 'net in plain. If you use the separate saslauthdb, or you tie SASL to RADIUS, LDAP or some other back-e= nd RDBMS, you'll get the more secure login mechanisms (ie. DIGEST-MD5) but at the cost of having a DB containing the authentication tokens (read: password) held in plain text inside it. However, if you're going to have a non-password file auth database, then forget using saslauthd -- setup Cyrus IMAPD to use auxprop directly. You= can put configuration stuff for Cyrus in /usr/local/lib/sasl2/Cyrus.conf or you can add the same directives to /usr/local/etc/imapd.conf prefixed with 'sasl-' (in addition to the imapd configuration directives from the imapd.conf(5) man page) There's a list of the directives you can use in one of the application Foo.conf files under /usr/local/lib/sasl2/ here: file:///usr/local/share/doc/cyrus-sasl2/html/options.html There's two advantages of doing things that way: (i) you aren't reliant on saslauthd which can be a SPOF and (ii) you make the *non* password authentication mechanisms available to your application -- so you can use GSSAPI or even SSL certs to authenticate users. Another good move is to provide SSL Certs etc for IMAP and either run it over an encrypted link (IMAPS on port 993 usually) or permit it to use STARTTLS to provide an encrypted channel for authentication. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigFC324C680BA0CE69B811817E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6VJS8Mjk52CukIwRCHEwAJ0eXxPVUN3b87ToqEyw92JDw/xaSACeLduP QETVrJSj0I3RsDPiIgKscG0= =wMHX -----END PGP SIGNATURE----- --------------enigFC324C680BA0CE69B811817E--