Building Cyrus IMAP with SASL GSSAPI support
This is a howto for installing the Cyrus IMAP server and SASL from source with support for the Kerberos GSSAPI network security mechanism which provides mutual authentication and confidentiality and integrity for the IMAP protocol. The procedure was tested under FreeBSD-6.2, but it should applicable to any similar linux/Unix distribution.
Install heimdal 1.1
Heimdal is a popular BSD licencend Kerbeors implementation. It has an implementation of Kerberos GSSAPI, which we will to use in this howto. Alternatively, the MIT Kerberos implementation can be used instead of Heimdal.
- Download from http://www.h5l.org/dist/src/heimdal-1.1.tar.gz
- Install
configure make make install
This will install heimdal under /usr/heimdal
Install a database (e.g. db3)
Consult cyrus documentation for available back-end options. In this howto we will use a Berkely Database.
- On Freebsd :
pkg_add -vrf db3
- On Debian/ubuntu :
apt-get install libdb4.4
Build and install cyrus-sasl-2.1.22
- Download from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
- Build and Install (verify that paths and database options are correct)
/configure --sysconfdir=/usr/local/etc --with-cyrus-user=cyrus --with-cyrus-group=cyrus --with-sasl=/usr/local --with-bdb-libdir=/usr/local/lib --with-bdb-incdir=/usr/local/include/db3 --with-bdb=db3 --with-saslauthd --enable-plain make make install
Build and install cyrus-imapd-2.3.11
- Download from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
- Install
configure --sysconfdir=/usr/local/etc --with-cyrus-user=cyrus --with-cyrus-group=cyrus --with-sasl=/usr/local --with-bdb-libdir=/usr/local/lib --with-bdb-incdir=/usr/local/include/db3 --with-bdb=db3 --prefix=/usr/local/cyrus make make install
Testing
Run the services
/usr/cyrus/bin/imapd /usr/cyrus/bin/master&
Connect to the imap serve to check capabilities
kinit imtest -m GSSAPI -r EXAMPLE.COM imap.example.com
The response from the imap server should show support of GSSAPI. In which case the output would look as follows:
S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=GSSAPI SASL-IR] ...
At this point, the GSSAPI authentication may not work, and the the cyrus imap server may not be able to server e-mails yet. To make the server run properly, we need to edit the configuration files.
Configuring cyrus IMAP server
Please refer to this article : How to configure cyrus support for SASL GSSAPI Kerberos authentication
| Labels: services, security, kerberos |
|