Home Consulting About Links

Cyrus IMAP server with SASL GSSAPI Kerberos authentication: Configuration and setup

This is a how-to for configuring and installing cyrus with SASL GSSAPI Kerberos5 authentication under FreeBSD 6.1

System configuration and setup

  • Create user and group cyrus
  * create group services
  * add cyrus to services 
  * add daemon to cyrus
  • Make sure you have the following in /etc/services 
pop3    110/tcp
imap    143/tcp
imsp    406/tcp
acap      674/tcp
imaps    993/tcp
pop3s    995/tcp
kpop      1109/tcp
sieve     2000/tcp
lmtp     2003/tcp
fud        4201/udp
  • Clean up /etc/inetd.conf : Remove any imap, imaps, pop3, pop3s, kpop, lmtp and sieve lines
  • Add the following lines to the end of /etc/syslog.conf 
local6.debug    /var/log/imapd.log
auth.debug     /var/log/auth.log
  • Create logfiles 
      touch /var/log/imapd.log /var/log/auth.log
  • Create a Kerberos imap service 
kadmin -l
add imap/example.com@EXAMPLE.COM
  • Extract the imap service keytab in /etc/krb5.keytab on the host example.com
ktutil get imap/example.com@EXAMPLE.COM

Note: kadmind must be runnig and your account must have enough privileges. To update your privileges edit the file /var/heimdal/kadmind.acl (on the KDC) and start kadmind from /usr/libexec/kadmind

Cyrus configuration

  • Create /var/imap and /var/spool/imap
	 mkdir /var/imap /var/spool/imap
	 chown cyrus:cyrus /var/imap /var/spool/imap
	 chmod 750 /var/imap /var/spool/imap
  • Edit /usr/local/etc/imapd.conf and Make sure you have the following:
	configdirectory: /var/imap
	partition-default: /var/spool/imap
	sieveusehomedir: false
	sievedir: /var/imap/sieve
	admins: cyrus zrelli
	allowanonymouslogin: no
	sasl_pwcheck_method: saslauthd
	keytab: /etc/krb5.keytab
  • Change to user cyrus and run this 
	su cyrus
	% /usr/local/cyrus/bin/mkimap

This should create all the required directories with proper permission.

Start the service

/usr/local/cyrus/bin/imapd
/usr/local/cyrus/bin/master &

Setup Sendmail

Go to /etc/mail and add the following lines in your hostname.mc file 

	define(`confLOCAL_MAILER',`cyrusv2')
	define(`CYRUS_MAILER_PATH',`/usr/local/cyrus/bin/deliver')
	MAILER(`cyrusv2')

Then do 

	make stop
	make all
	make install
	make start

NOTE that SASL GSSAPI implementation of heimdal =< 0.7 may have some compatibility issues with MIT Kerberos. I faced the follwing problem: When I used MIT's gssapi to authenticate to cyrus, the server reported an error : enctype 18 was not supported where kinit -e des-cbc-md5 : encrypte 18. to solve this, I installed heimdal 0.8rc1 and recompiled/installed cyrus-imap and cyrus-sasl2 as mentioned above.

Test

	imtest -m login
        imtest -m GSSAPI -r EXAMPLE.COM imap.example.com

Installation of cyrus from FreeBSD ports

  • Install Heimal > 0.8
  • Update the file : /usr/ports/security/cyrus-sasl2/Makefile

add the option –with-gss_impl=heimdal to the variable CONFIGURE_ARGS

  • Compile and install
     cd /usr/ports/mail/cyrus-imapd23/
     make install

For compiling cyrus from source with GSSAPI support please refer to : Cyrus IMAP server and SASL with GSSAPI Kerberos authentication : Howto Install

, , , ,






Wireless Internet Security Performance RADIUS server

More articles


Network Security

Wireless Networks

Networks Performance

Search


Subscribe

Via RSS
 



Or, subscribe via email:






 
 

Wireless Internet Security Performance RADIUS server Wireless Internet Security Performance RADIUS server