Table of Contents

Cyrus IMAP with GSSAPI Kerberos - Configuration Howto

In a previous article, we discussed how to build a CYRUS IMAP server with GSSAPI/Kerberos support from source. This article is a how-to for configuring cyrus with SASL GSSAPI Kerberos5 authentication.


System configuration and setup


Create user and group cyrus


Make sure you have the following in /etc/services

pop3    110/tcp
imap    143/tcp
imsp    406/tcp
acap      674/tcp
imaps    993/tcp
pop3s    995/tcp
kpop      1109/tcp
lmtp     2003/tcp
fud        4201/udp

Clean up /etc/inetd.conf : Remove any imap, imaps, pop3, pop3s, kpop, lmtp and sieve lines


Add the following lines to the end of /etc/syslog.conf

local6.debug    /var/log/imapd.log
auth.debug     /var/log/auth.log

Create logfiles

      touch /var/log/imapd.log /var/log/auth.log

Create Kerberos imap and sieve principals

kadmin -l
add imap/example.com@EXAMPLE.COM
add sieve/example.com@EXAMPLE.COM

Extract the imap service krb5 keytab in /etc/krb5.keytab on the host example.com

ktutil get imap/example.com@EXAMPLE.COM
ktutil get sieve/example.com@EXAMPLE.COM

Note: kadmind must be running and your account must have enough privileges. To update your kadmin privileges, edit the file /var/heimdal/kadmind.acl (on the KDC) and restart kadmind from /usr/libexec/kadmind


On the host example.com, make sure Kerberos configuration is correctly setup by editing /etc/krb5.conf. It should look as follows

[libdefaults]
     default_realm = EXAMPLE.COM
[realms]
     EXAMPLE.COM = {
	     kdc = 111.111.111.111
	     admin_server=111.111.111.111
     }

[domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
     localhost = EXAMPLE.COM

[logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb.log

Cyrus configuration


Create /var/imap and /var/spool/imap

	 mkdir /var/imap /var/spool/imap
	 chown cyrus:cyrus /var/imap /var/spool/imap
	 chmod 750 /var/imap /var/spool/imap

Edit /usr/local/etc/imapd.conf

make sure you have the following (adapt parameters accordingly) : 

configdirectory: /var/imap
partition-default: /var/spool/imap
servername: example.com
allowanonymouslogin: no
allowplaintext: yes
admins: cyrus root
sasl_keytab: /path/to/keytab
loginrealms: EXAMPLE.COM
loginuseacl: yes
sieveusehomedir: false
sievedir: /var/imap/sieve
sasl_pwcheck_method: saslauthd
sasl_opiekeys: /etc/opiekeys
duplicatesuppression: 0
duplicate_db: skiplist
mboxlist_db: skiplist
ptscache_db: skiplist
quota_db: skiplist
seenstate_db: skiplist

Change to user cyrus and run this

	su cyrus
	% /usr/local/cyrus/bin/mkimap

This should create all the required directories with proper permission.


Adding cyrus mailboxes

To add mailboxes, we need to authenticate (using GSSAPI) to the cyrus server. For this reason, we first need to add the cyrus user to the Kerberos database. On the kdc, add a cyrus user as follows (if not done yet). 

kadmin -l
kadmin> add cyrus

Then get credentials and connect to the cyrus server to manage mailboxes. 

kinit cyrus
cyradm --user cyrus imap.example.com
imap.example.com>cm user.someusername

Setup Postfix

In order to make the MTA deliver e-mails to the cyrus server, we need to configure it to do so. If your MTA is Postfix, see Postfix configuration


Setup Sendmail

In order to make the sendmail MTA deliver e-mails to the cyrus server, edit /etc/mail/hostname.mc and add the following lines 

	define(`confLOCAL_MAILER',`cyrusv2')
	define(`CYRUS_MAILER_PATH',`/usr/local/cyrus/bin/deliver')
	MAILER(`cyrusv2')

Then do 

	make stop
	make all
	make install
	make start

NOTE that SASL GSSAPI implementation of heimdal =< 0.7 may have some compatibility issues with MIT Kerberos. I faced the follwing problem: When I used MIT's gssapi to authenticate to cyrus, the server reported an error : enctype 18 was not supported where kinit -e des-cbc-md5 : encrypte 18. to solve this, I installed heimdal 0.8rc1 and recompiled/installed cyrus-imap and cyrus-sasl2 as mentioned above.


Start the 'imapd' and 'master' services

/usr/local/cyrus/bin/imapd
/usr/local/cyrus/bin/master &

Testing imap/sieve authentication

On the host example.com, get Kerberos credentials 

kinit

Test imap : 

	imtest -m login
        imtest -m GSSAPI -r EXAMPLE.COM example.com

Test sieve 

sieveshell example.com

Adding sieve filters

Users that have imap accounts and Kerberos credentials that allow them to authenticate to the sieve server can add sieve scripts that will sort their e-mails. The following is a simple sieve script. 

if anyof (header :contains "X-SPAM-Judgment" "SPAM; Judge=some.mail.server",
          header :contains "From" "vgkwu.com",
          header :contains "Subject" "viagra",
          header :contains "From" "connect-eur")
{
fileinto "INBOX.Trash";
}

elsif header :contains ["To", "Cc"] "some-address"
{
fileinto "INBOX.some-folder";
}

elsif  anyof (header :contains "List-Id" "kerberos",
              header :contains "From" "krb",
              header :contains ["To", "Cc", "From"] "heimdal")
{
fileinto "INBOX.KRB";
}

The user can install this filter by placing the script above in a file (e.g. sieve.script) then issuing the following commands. 

kinit
sieveshell example.com
>put /path/to/sieve.script
>activate sieve.script


Labels: , , , , Wireless Internet Security Coding Network Monitoring