====== Cyrus IMAP with GSSAPI Kerberos - Configuration Howto  =======

In a previous article, we discussed [[cyrus_imap_server_and_sasl_with_gssapi_kerberos_authentication|how to build a CYRUS IMAP server with GSSAPI/Kerberos support]] from source. This article is a how-to for configuring cyrus with SASL GSSAPI Kerberos5 authentication.


===== System configuration and setup =====
 
==== Create user and group cyrus ====


==== Make sure you have the following in /etc/services ====
 
	pop3    110/tcp
	imap    143/tcp
	imsp    406/tcp
	acap      674/tcp
	imaps    993/tcp
	pop3s    995/tcp
	kpop      1109/tcp
	lmtp     2003/tcp
	fud        4201/udp

==== Clean up /etc/inetd.conf : Remove any imap, imaps, pop3, pop3s, kpop, lmtp and sieve lines ====
 

==== Add the following lines to the end of /etc/syslog.conf ====
 
	local6.debug    /var/log/imapd.log
	auth.debug     /var/log/auth.log

==== Create logfiles ====
 
        touch /var/log/imapd.log /var/log/auth.log

==== Create Kerberos imap and sieve principals ====
 
	kadmin -l
	add imap/example.com@EXAMPLE.COM
	add sieve/example.com@EXAMPLE.COM

==== Extract the imap service krb5 keytab in /etc/krb5.keytab on the host example.com ====


	ktutil get imap/example.com@EXAMPLE.COM
	ktutil get sieve/example.com@EXAMPLE.COM
 
//Note: kadmind must be running and your account must have
enough privileges. To update your kadmin privileges, edit the file
/var/heimdal/kadmind.acl (on the KDC) and restart kadmind from
/usr/libexec/kadmind//

====  On the host example.com, make sure Kerberos configuration is correctly setup by editing /etc/krb5.conf. It should look as follows ====


<code>
[libdefaults]
     default_realm = EXAMPLE.COM
[realms]
     EXAMPLE.COM = {
	     kdc = 111.111.111.111
	     admin_server=111.111.111.111
     }

[domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
     localhost = EXAMPLE.COM

[logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb.log

</code>


===== Cyrus configuration =====

==== Create /var/imap and /var/spool/imap ====


<code>
	 mkdir /var/imap /var/spool/imap
	 chown cyrus:cyrus /var/imap /var/spool/imap
	 chmod 750 /var/imap /var/spool/imap
</code>

==== Edit /usr/local/etc/imapd.conf ====

make sure you have the following (adapt parameters accordingly) :

<code>
configdirectory: /var/imap
partition-default: /var/spool/imap
servername: example.com
allowanonymouslogin: no
allowplaintext: yes
admins: cyrus root
sasl_keytab: /path/to/keytab
loginrealms: EXAMPLE.COM
loginuseacl: yes
sieveusehomedir: false
sievedir: /var/imap/sieve
sasl_pwcheck_method: saslauthd
sasl_opiekeys: /etc/opiekeys
duplicatesuppression: 0
duplicate_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: skiplist
seenstate_db: skiplist

</code>

==== Change to user cyrus and run this ====
 

<code>
	su cyrus
	% /usr/local/cyrus/bin/mkimap
</code>

This should create all the required directories with proper permission.


===== Adding cyrus mailboxes =====

To add mailboxes, we need to authenticate (using GSSAPI) to the cyrus server. For this reason, we first need to add the cyrus user to the Kerberos database. On the kdc, add a cyrus user as follows (if not done yet).

<code>
kadmin -l
kadmin> add cyrus
</code>

Then get credentials and connect to the cyrus server to manage mailboxes.

<code>
kinit cyrus
cyradm --user cyrus imap.example.com
imap.example.com>cm user.someusername
</code>


===== Setup Postfix =====

In order to make the MTA deliver e-mails to the cyrus server, we need to configure it to do so. If your MTA is Postfix, see [[postfix_gssapi_authentication_howto#edit_configuration_files|Postfix configuration]]


===== Setup Sendmail =====

In order to make the sendmail MTA deliver e-mails to the cyrus server, edit **/etc/mail/hostname.mc** and add the following lines 

<code>
	define(`confLOCAL_MAILER',`cyrusv2')
	define(`CYRUS_MAILER_PATH',`/usr/local/cyrus/bin/deliver')
	MAILER(`cyrusv2')
</code>
Then do

<code>
	make stop
	make all
	make install
	make start

</code>

NOTE that SASL GSSAPI implementation of heimdal =< 0.7 may have some
compatibility issues with MIT Kerberos. I faced the follwing problem:
When I used MIT's gssapi to authenticate to cyrus, the server
reported an error : enctype 18 was not supported where kinit -e
des-cbc-md5 : encrypte 18.  to solve this, I installed heimdal
0.8rc1 and recompiled/installed cyrus-imap and cyrus-sasl2 as
mentioned above.





===== Start the 'imapd' and 'master' services =====

	/usr/local/cyrus/bin/imapd
	/usr/local/cyrus/bin/master &


===== Testing imap/sieve authentication =====

On the host example.com, get Kerberos credentials 

<code>
kinit
</code>

Test imap :
<code>
	imtest -m login
        imtest -m GSSAPI -r EXAMPLE.COM example.com
</code>

Test sieve
<code>
sieveshell example.com
</code>




===== Adding sieve filters =====

Users that have imap accounts and Kerberos credentials that allow them to authenticate to the sieve server can add sieve scripts that will sort their e-mails. The following is a simple sieve script.

<code>
if anyof (header :contains "X-SPAM-Judgment" "SPAM; Judge=some.mail.server",
          header :contains "From" "vgkwu.com",
          header :contains "Subject" "viagra",
          header :contains "From" "connect-eur")
{
fileinto "INBOX.Trash";
}

elsif header :contains ["To", "Cc"] "some-address"
{
fileinto "INBOX.some-folder";
}

elsif  anyof (header :contains "List-Id" "kerberos",
              header :contains "From" "krb",
              header :contains ["To", "Cc", "From"] "heimdal")
{
fileinto "INBOX.KRB";
}

</code>

The user can install this filter by placing the script above in a file (e.g. sieve.script) then issuing the following commands.


<code>
kinit
sieveshell example.com
>put /path/to/sieve.script
>activate sieve.script
</code>


{{tag>howto Kerberos services security unix}}