Setting up Cyrus SASL on Slackware 13.0 (32bit)

January 14th, 2012 - 02:53 pm ET by Lew Pitcher | Report spam
Hi, everyone

Now that my Konqueror/NFS problem is cleared up, I'm tackling some more
long-delayed server configuration changes.

This time, the challenge is to set up Cyrus SASL for imap (Slackware's
Alpine IMAPD) and smtp (Slackware's Sendmail) use.

There's a lot written about how not to set up SASL, but very few details on
how /to/ set it up. Some of the details (such as where the individual
protocol's SASL config files should go) conflict; some doc says that the
IMAP config goes in /etc/imapd.conf (nonexistant on my Slackware system),
and others say that it goes in /usr/lib/sasl (again, nonexistant on my
Slackware system), and one or two mention configs go to /usr/lib/sasl2
(finally, something that /does/ exist).

The contents seem variable as well; there seems to be a standard for the
contents of the /usr/lib/{sasl,sasl2} config files, set by Cyrus SASL, and
there seems to be a different config format for /etc/imapd.conf.

I'm slowly working my way through the SASL documentation, and everything
else relevant (from Google searches), but I thought I'd ask here as well.

So, does anyone have any Slackware Cyrus SASL experience or advice that they
care to impart to me?

Thanks
Lew Pitcher
email Follow the discussionReplies 3 repliesReplies Make a reply

Similar topics

Replies

#1 Kees Theunissen
January 15th, 2012 - 05:41 am ET | Report spam
Lew Pitcher wrote:
Hi, everyone

Now that my Konqueror/NFS problem is cleared up, I'm tackling some more
long-delayed server configuration changes.

This time, the challenge is to set up Cyrus SASL for imap (Slackware's
Alpine IMAPD) and smtp (Slackware's Sendmail) use.

There's a lot written about how not to set up SASL, but very few details on
how /to/ set it up. Some of the details (such as where the individual
protocol's SASL config files should go) conflict; some doc says that the
IMAP config goes in /etc/imapd.conf (nonexistant on my Slackware system),
and others say that it goes in /usr/lib/sasl (again, nonexistant on my
Slackware system), and one or two mention configs go to /usr/lib/sasl2
(finally, something that /does/ exist).



Yes, I ran into that confusion too.
Things changed with sasl2 and lots of information you'll find on the
Net predate sasl2.
/usr/lib/sasl2 does exist on Slackware but that is the place where the
libraries live. Create a directory /etc/slasl2 to put your configs into.

The contents seem variable as well; there seems to be a standard for the
contents of the /usr/lib/{sasl,sasl2} config files, set by Cyrus SASL, and
there seems to be a different config format for /etc/imapd.conf.

I'm slowly working my way through the SASL documentation, and everything
else relevant (from Google searches), but I thought I'd ask here as well.

So, does anyone have any Slackware Cyrus SASL experience or advice that they
care to impart to me?



I've no experience with IMAP but some two years ago I configured
sendmail on my Slackware workstation tho authenticate against the
shadow file. I never actually used it. I just confirmed that it worked.
A that time I was configuring a more complicated setup (Debian server
with sendmail using sasl --> pam --> libpam-ldap to authenticate against
a windows Active Directory domain) and I really needed a simpler setup
to start with.
I still have the config files laying around.

To use sasl the daemon /usr/sbin/saslauthd should be running.
The Slackware init script /etc/rc.d/rc.saslauthd starts saslauthd with
the "-a shadow" option to authenticate against /etc/shadow.
That's what I wanted so I just ran:
chmod +x /etc/rc.d/rc.saslauthd
/etc/rc.d/rc.saslauthd start

Build /etc/mail/sendmail.cf based on Slackware's configuration file
/usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc. The package
sendmail-cf needs to be installed for that.
Sendmail requires encryption in order to use authentication. This
requirement can, but shouldn't, be switched off. To make encryption
work pay attention to the lines:
dnl# You will need to create the certificates below with OpenSSL first:
define(`confCACERT_PATH', `/etc/mail/certs/')
define(`confCACERT', `/etc/mail/certs/CA.cert.pem')
define(`confSERVER_CERT', `/etc/mail/certs/smtp.cert.pem')
define(`confSERVER_KEY', `/etc/mail/certs/smtp.key.pem')
Either put your certificates and key in the specified locations or
adjust these lines to your needs.
The rest of usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc
should be fine.

Finally create /etc/sasl2/Sendmail.conf with this contents:
pwcheck_method:saslauthd
mech_list:login plain

This should do the job to my best knowledge, but ...
DISCLAMER: I don't actually use this setup and it's almost two years
ago that I tested this -once- on a different Slackware distribution.

I found http://qmail.jms1.net/test-auth.shtml to be very helpful
in testing this stuff.

Regards,

Kees.

Kees Theunissen.
Replies Reply to this message
#2 Kees Theunissen
January 15th, 2012 - 05:48 am ET | Report spam
Kees Theunissen wrote:

/usr/lib/sasl2 does exist on Slackware but that is the place where the
libraries live. Create a directory /etc/slasl2 to put your configs into.


^^^^^^
s/slasl2/sasl2/


Regards,

Kees.

Kees Theunissen.
Replies Reply to this message
#3 Lew Pitcher
January 15th, 2012 - 05:57 pm ET | Report spam
Thanks, Kees, for the information.

On Sunday 15 January 2012 05:41, in alt.os.linux.slackware,
wrote:

Lew Pitcher wrote:
Hi, everyone

Now that my Konqueror/NFS problem is cleared up, I'm tackling some more
long-delayed server configuration changes.

This time, the challenge is to set up Cyrus SASL for imap (Slackware's
Alpine IMAPD) and smtp (Slackware's Sendmail) use.




[snip]
I've no experience with IMAP but some two years ago I configured
sendmail on my Slackware workstation tho authenticate against the
shadow file.



SASL-enabling sendmail is lower on my priority list than SASL-enabling
IMAPD, unfortunately. I've saved your post for future reference while I
pursue the imapd configuration (although, that migh not take me as long as
I expected).

I've unpacked the Slackware 13.0 source package for imapd, and looked
through it; it appears that the Alpine imapd is "SASL-enabled", but only
through it's own SASL mini-implementation. Unfortunately, Alpine imapd
doesn't use the Cyris SASL library at all. And, this is bad news for me.

I'm trying to decouple my webmail service from my /etc/shadow; this so that
I can decouple the webmail credentials from the system credentials. I want
my webmail users to have webmail passwords that are completely independant
of their NIS-shared system login passwords. And, Cyris SASL would let me
do that.

My webmail authenticates userid/password combinations with the IMAP server,
which, in turn, authenticates through the nsswitch options to /etc/shadow
or NIS. I could code a different authentication mechanism into my
webmail, /or/ I could (I hoped) use SASL to redirect IMAP's authentication
to the one of the Cyrus-supported alternative authenticators (say, a MySQL
table or sasldb through the auxprop mechanism).

The nicest choice was to have IMAP change authentication mechanisms; this
way, I could offer mail services independant of system logon priviledges.
But, as I said, Alpine imapd doesn't offer that functionality. I haven't
traced exactly what it does, but it appears to offer SASL MD5 and OTP
authentication against the system (nsswitch, /etc/shadow, or /etc/passwd),
and not through any 3rd party authenticator.


[snip]

Thanks for the advice,
Lew Pitcher
email Follow the discussion Replies Reply to this message
Help Create a new topicReplies Make a reply
Search Make your own search