{{:suse.png}} ==== SASL ==== A very conveniant way of configuring the **S**imple **A**uthentication and **S**ecurity **L**ayer (SASL) is to use the **P**luggable **A**uthentication **M**odules (PAM), since it can use diffrent authentication sources like ldap or /etc/passwd - thus SASL is everything but simple ;-) \\ \\ \\ For configuring SASL with SUSE you have to modify several configuration files:\\ * /etc/sysconfig/saslauthd * /etc/saslauthd.conf * /etc/pam.d/imap * /etc/pam.d/pop * /etc/pam.d/sieve * /etc/pam.d/smtp * /usr/lib/sasl2/smtpd.conf (SUSE <10.1) / /etc/sasl2/smtpd.conf (SUSE 10.2) * /usr/lib/sasl2/slapd.conf (SUSE <10.1) / /etc/sasl2/slapd.conf (SUSE 10.2) \\ You should have the following additional packages installed: * pam * pam-modules * pam_ldap \\ /etc/sysconfig/saslauthd: \\ ## Path: System/Security/SASL ## Type: list(getpwent,kerberos5,pam,rimap,shadow,ldap) ## Default: pam ## ServiceRestart: saslauthd # # Authentication mechanism to use by saslauthd. # See man 8 saslauthd for available mechanisms. # SASLAUTHD_AUTHMECH=pam \\ /etc/saslauthd.conf: \\ ldap_servers: ldap://127.0.0.1 ldap_version: 3 ldap_timeout: 10 ldap_time_limit: 10 ldap_cache_ttl: 30 ldap_cache_mem: 32768 ldap_scope: sub ldap_search_base: ou=people,dc=example,dc=com ldap_filter_mode: yes ldap_filter: uid=%u ldap_use_sasl: no ldap_bind_dn: cn=ldapadmin,dc=example,dc=com ldap_password: your-secret-ldap_admin-password \\ Modify your files /etc/pam.d/imap, /etc/pam.d/pop, /etc/pam.d/sieve and /etc/pam.d/smtp from: \\ #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session to: \\ #%PAM-1.0 auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass account sufficient pam_ldap.so account required pam_unix.so \\ /usr/lib/sasl2/smtpd.conf (SUSE <10.1) / /etc/sasl2/smtpd.conf (SUSE 10.2): pwcheck_method: saslauthd mech_list: plain login cram-md5 digest-md5 loglevel: 7 \\ /usr/lib/sasl2/slapd.conf (SUSE <10.1) / /etc/sasl2/slapd.conf (SUSE 10.2):: mech_list: plain login cram-md5 digest-md5 \\ And restart saslauthd and cyrus rcsaslauthd restart rccyrus restart \\ Watch the output in /var/log/messages carefully for any errors! \\ \\ === Testing === Grep the /etc/passwd file for the user "cyrus": cat /etc/passwd | grep cyrus cyrus:x:96:12:User for cyrus-imapd:/usr/lib/cyrus:/bin/bash \\ Set a password e.g. "tester" for user "cyrus": \\ station7:/ # passwd cyrus Changing password for cyrus. New Password: Reenter New Password: Password changed. \\ Test now if SASL is working: \\ station7:/ # testsaslauthd -u cyrus -p tester 0: OK "Success." \\ So SASL is working with UNIX-authentication via /etc/passwd. \\ Check now for a user that exists only in LDAP, e.g. user "haasc" with password "tester1": \\ station7:/ # testsaslauthd -u haasc -p tester1 0: OK "Success." \\ \\ Test now, if cyradm can log on properly: station7:/ # cyradm -u cyrus station7.example.com IMAP Password: station7.example.com> \\ === SASLfinger === saslfinger is a bash utility script that seeks to help you debugging your SMTP AUTH setup. It gathers various informations about Cyrus SASL and Postfix from your system and sends it to stdout.\\ It was written by Patrick Ben Koetter\\ \\ **Usage:**\\ You must run saslfinger with one of the following options:\\ -c If you run saslfinger with the option -c it will collect data required for client-side SMTP AUTH. Client-side SMTP AUTH is when Postfix smtp daemon uses SMTP AUTH to authenticate itself with a remote mail server that offers SMTP AUTH. \\ saslfinger will try to telnet to all hosts listed in smtp_sasl_password_maps, if it may read smtp_sasl_password_maps \\ The telnet test verifies your host is able to reach the remote servers and shows what AUTH mechanisms they offer - in some cases this is required to debug client-side SMTP AUTH. \\ **Important:** By default smtp_sasl_password_maps must be read-only to root, since these maps contain the usernames and passwords to authenticate. If you run saslfinger as root access will be no problem, but saslfinger will fail if you lack the permissions to access smtp_sasl_password_maps. \\ If you want to run the telnet test, but don't want to run saslfinger as root change permissions of smtp_sasl_password_maps so that the user running saslfinger may access smtp_sasl_password_maps while you debug. \\ ***note:** You don't need to worry about saslfinger doing anything with the username or password stored next to the remote hosts in your smtp_sasl_password_maps; saslfinger completely ignores these informations! \\ \\ -h If you run saslfinger with the option -h it will print a little help message that tells you about the options you can use. \\ -s If you run saslfinger with the option -s it will collect data required for server-side SMTP AUTH. Server-side SMTP AUTH is when Postfix smtpd daemon offers SMTP AUTH to mail clients. \\ Download at [[http://postfix.state-of-mind.de/patrick.koetter/saslfinger/saslfinger-1.0.2.tar.gz]] \\ <- [[linux:email:email|zurück]]