This is a howto for installing the Cyrus IMAP server and SASL from source with support for the Kerberos GSSAPI network security mechanism which provides mutual authentication and confidentiality and integrity for the IMAP protocol. The procedure was tested under FreeBSD-6.2, but it should applicable to any similar linux/Unix distribution.

Heimdal is a popular BSD licencend Kerbeors implementation. It has an implementation of Kerberos GSSAPI, which we will to use in this howto. Alternatively, the MIT Kerberos implementation can be used instead of Heimdal.

• Download from http://www.h5l.org/dist/src/heimdal-1.1.tar.gz

• Install

configure
make
make install

This will install heimdal under /usr/heimdal

Consult cyrus documentation for available back-end options. In this howto we will use a Berkely Database.

• On Freebsd :

pkg_add -vrf db3

• On Debian/ubuntu :

apt-get install libdb4.4

• Download from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

• Build and Install (verify that paths and database options are correct)

/configure --sysconfdir=/usr/local/etc --with-cyrus-user=cyrus --with-cyrus-group=cyrus --with-sasl=/usr/local --with-bdb-libdir=/usr/local/lib --with-bdb-incdir=/usr/local/include/db3 --with-bdb=db3 --with-saslauthd --enable-plain
make
make install

• Download from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

• Install

configure --sysconfdir=/usr/local/etc --with-cyrus-user=cyrus --with-cyrus-group=cyrus --with-sasl=/usr/local --with-bdb-libdir=/usr/local/lib --with-bdb-incdir=/usr/local/include/db3 --with-bdb=db3 --prefix=/usr/local/cyrus
make
make install

/usr/cyrus/bin/imapd
/usr/cyrus/bin/master&

kinit
imtest -m GSSAPI -r EXAMPLE.COM imap.example.com

The response from the imap server should show support of GSSAPI. In which case the output would look as follows:

S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=GSSAPI SASL-IR]
...

At this point, the GSSAPI authentication may not work, and the the cyrus imap server may not be able to server e-mails yet. To make the server run properly, we need to edit the configuration files.

Please refer to this article : How to configure cyrus support for SASL GSSAPI Kerberos authentication

Labels: services, security, kerberos