SASL
A very conveniant way of configuring the Simple Authentication and Security Layer (SASL) is to use the Pluggable Authentication Modules (PAM), since it can use diffrent authentication sources like ldap or /etc/passwd - thus SASL is everything but simple
For configuring SASL with SUSE you have to modify several configuration files:
- /etc/sysconfig/saslauthd
- /etc/saslauthd.conf
- /etc/pam.d/imap
- /etc/pam.d/pop
- /etc/pam.d/sieve
- /etc/pam.d/smtp
- /usr/lib/sasl2/smtpd.conf (SUSE <10.1) / /etc/sasl2/smtpd.conf (SUSE 10.2)
- /usr/lib/sasl2/slapd.conf (SUSE <10.1) / /etc/sasl2/slapd.conf (SUSE 10.2)
You should have the following additional packages installed:
- pam
- pam-modules
- pam_ldap
/etc/sysconfig/saslauthd:
## Path: System/Security/SASL
## Type: list(getpwent,kerberos5,pam,rimap,shadow,ldap)
## Default: pam
## ServiceRestart: saslauthd
#
# Authentication mechanism to use by saslauthd.
# See man 8 saslauthd for available mechanisms.
#
SASLAUTHD_AUTHMECH=pam
/etc/saslauthd.conf:
ldap_servers: ldap://127.0.0.1
ldap_version: 3
ldap_timeout: 10
ldap_time_limit: 10
ldap_cache_ttl: 30
ldap_cache_mem: 32768
ldap_scope: sub
ldap_search_base: ou=people,dc=example,dc=com
ldap_filter_mode: yes
ldap_filter: uid=%u
ldap_use_sasl: no
ldap_bind_dn: cn=ldapadmin,dc=example,dc=com
ldap_password: your-secret-ldap_admin-password
Modify your files /etc/pam.d/imap, /etc/pam.d/pop, /etc/pam.d/sieve and /etc/pam.d/smtp from:
#%PAM-1.0
auth include common-auth account include common-account password include common-password session include common-session
to:
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
/usr/lib/sasl2/smtpd.conf (SUSE <10.1) / /etc/sasl2/smtpd.conf (SUSE 10.2):
pwcheck_method: saslauthd mech_list: plain login cram-md5 digest-md5 loglevel: 7
/usr/lib/sasl2/slapd.conf (SUSE <10.1) / /etc/sasl2/slapd.conf (SUSE 10.2)::
mech_list: plain login cram-md5 digest-md5
And restart saslauthd and cyrus
rcsaslauthd restart rccyrus restart
Watch the output in /var/log/messages carefully for any errors!
Testing
Grep the /etc/passwd file for the user „cyrus“:
cat /etc/passwd | grep cyrus
cyrus:x:96:12:User for cyrus-imapd:/usr/lib/cyrus:/bin/bash
Set a password e.g. „tester“ for user „cyrus“:
station7:/ # passwd cyrus Changing password for cyrus. New Password: Reenter New Password: Password changed.
Test now if SASL is working:
station7:/ # testsaslauthd -u cyrus -p tester 0: OK "Success."
So SASL is working with UNIX-authentication via /etc/passwd.
Check now for a user that exists only in LDAP, e.g. user „haasc“ with password „tester1“:
station7:/ # testsaslauthd -u haasc -p tester1 0: OK "Success."
Test now, if cyradm can log on properly:
station7:/ # cyradm -u cyrus station7.example.com IMAP Password: station7.example.com>
SASLfinger
saslfinger is a bash utility script that seeks to help you debugging your SMTP AUTH setup. It gathers various informations about Cyrus SASL and Postfix from your system and sends it to stdout.
It was written by Patrick Ben Koetter
Usage:
You must run saslfinger with one of the following options:
-c If you run saslfinger with the option -c it will collect data required for client-side SMTP AUTH. Client-side SMTP AUTH is when Postfix smtp daemon uses SMTP AUTH to authenticate itself with a remote mail server that offers SMTP AUTH.
saslfinger will try to telnet to all hosts listed in smtp_sasl_password_maps, if it may read smtp_sasl_password_maps
The telnet test verifies your host is able to reach the remote servers and shows what AUTH mechanisms they offer - in some cases this is required to debug client-side SMTP AUTH.
Important: By default smtp_sasl_password_maps must be read-only to root, since these maps contain the usernames and passwords to authenticate. If you run saslfinger as root access will be no problem, but saslfinger will fail if you lack the permissions to access smtp_sasl_password_maps.
If you want to run the telnet test, but don't want to run saslfinger as root change permissions of smtp_sasl_password_maps so that the user running saslfinger may access smtp_sasl_password_maps while you debug.
*note: You don't need to worry about saslfinger doing anything with the username or password stored next to the remote hosts in your smtp_sasl_password_maps; saslfinger completely ignores these informations!
-h If you run saslfinger with the option -h it will print a little help message that tells you about the options you can use.
-s If you run saslfinger with the option -s it will collect data required for server-side SMTP AUTH. Server-side SMTP AUTH is when Postfix smtpd daemon offers SMTP AUTH to mail clients.
Download at http://postfix.state-of-mind.de/patrick.koetter/saslfinger/saslfinger-1.0.2.tar.gz
← zurück