Re: setting up imap/sasl

2006-08-20 Thread Matthew Seaman 
Dan Langille wrote:

> When I run imtest, I see two problems:
> 
> 1 - I see only two AUTH= clauses: DIGEST-MD5 and CRAM-MD5.  Shouldn't 
> I see one for SASL?

No.  SASL is the library that provides the glue between various
authentication mechanisms, the authentication databases and the
applications.  There isn't a 'SASL' authentication mechanism as
such.  You're not seeing LOGIN or PLAIN here -- which suggests
you've got a non-zero security strength factor set, and it seems
you don't have any GSSAPI/Kerberos or SSL based authentication
available, which really leaves only CRAM-MD5 or DIGEST-MD5, and
CRAM-MD5 is really only there for historical reasons.

> 2 - I've been unable to get authorization to work.
> 
> $ imtest -m login -a admin -u admin polo
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=DIGEST-MD5 
> AUTH=CRAM-MD5 SASL-IR] polo.unixathome.org Cyrus IMAP4 v2.3.7 server 

[...]

> I've tried various sasl_pwcheck_method options.  The above is with 
> "saslauthd".  With "auxprop", it is similar, but:
> 
> Please enter your password:
> C: L01 LOGIN admin {5}
> S: + go ahead
> C: 
> failure: prot layer failure

'saslauthd' handles only password style authentication.  You can set it
to use the standard system password stuff -- getpwent() or PAM things,
but ironically that will force you to use LOGIN or PLAIN auth mechanisms
with the password being sent over then 'net in plain.  If you use the
separate saslauthdb, or you tie SASL to RADIUS, LDAP or some other back-end
RDBMS, you'll get the more secure login mechanisms (ie. DIGEST-MD5) but
at the cost of having a DB containing the authentication tokens (read:
password) held in plain text inside it.

However, if you're going to have a non-password file auth database, then
forget using saslauthd -- setup Cyrus IMAPD to use auxprop directly.  You
can put configuration stuff for Cyrus in /usr/local/lib/sasl2/Cyrus.conf
or you can add the same directives to /usr/local/etc/imapd.conf prefixed
with 'sasl-' (in addition to the imapd configuration directives from the
imapd.conf(5) man page)  There's a list of the directives you can use
in one of the application Foo.conf files under /usr/local/lib/sasl2/
here:

file:///usr/local/share/doc/cyrus-sasl2/html/options.html

There's two advantages of doing things that way: (i) you aren't reliant
on saslauthd which can be a SPOF and (ii) you make the *non* password
authentication mechanisms available to your application -- so you can
use GSSAPI or even SSL certs to authenticate users.

Another good move is to provide SSL Certs etc for IMAP and either run
it over an encrypted link (IMAPS on port 993 usually) or permit it to
use STARTTLS to provide an encrypted channel for authentication.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Setting Up IMAP

2004-05-12 Thread Vince Hoffman 


On Wed, 12 May 2004, Charles Swiger wrote:

> On May 12, 2004, at 9:29 AM, Jason Dusek wrote:
> >  Problem 1
> > My mail server's certificate 'fails' the authenticity test because it
> > is self-assigned. Why is this bad (aren't I *supposed* to get a
> > certificate with
> >  # make cert
> > in the stunnel port?) and what do I do to get a better certificate?
>
> You can add the certificate of the local CA you used to sign the SSL
> cert to your mail client's list of trusted CAs.
>
> You can also pay a "real CA" like Verisign, enTrust, etc for a
> commercial SSL cert which will be accepted by default, as mail clients
> already know those CAs.
>
> >  Problem 2
> > Kmail allows me accept the bad certificate and logs in succesfully. It
> > then shows me my *entire* home directory, not just the mail folder.
> > Why does this happen?
>
> There may be an option named "IMAP path prefix" which will let you
> change this, or you can recompile the UWash IMAP server after changing
> the default path where mail is kept.
>
> You'll probably need to go to /usr/ports/mail/cclient, do a "make
> extract", and then cd to work/imap-2002d.  Read docs/CONFIG,
> specificly:
>
> [ ...begin excerpt... ]
> >  Example 2: suppose you want to change c-client's idea of the
> > user's mailbox directory to be the "mail" subdirectory of the user's
> > home directory instead of the user's home directory.  You will want to
> > change variable mailsubdir, changing the line that reads:
> >
> > static char *mailsubdir = NIL;  /* mail subdirectory name */
> >  to be:
> > static char *mailsubdir = "mail";/* mail subdirectory name */
>
> ...and then do a "make deinstall ; make reinstall" from the port's
> directory.
>
actualy there is a way to set it without recompiling, from the docs
for imap-uw you can use one of the config files (read the docs if you dont
know what the config files are. the docs will say DO NOT use them but they
exist if you realy want to)
again got to /usr/ports/mail/imap-uw
do make extract
read work/imap-2002d/docs/imaprc.txt
[from /usr/ports/mail/imap-uw/work/imap-2002d/docs/imaprc.txt ]

32) set mail-subdirectory 
   Change the default connected directory from the user's home directory
   to the named subdirectory of the user's home directory.  For example,
   setting MAILSUBDIR="mail" will cause the POP2 and IMAP servers to
   connect to the user's ~/mail subdirectory.  This is equivalent to
   the env_unix.c edit described in Example 2 of the CONFIG file.

   Note that if the subdirectory does not exist, the result is undefined.
   It is probably an extremely bad idea to set this unless you can
   guarantee that the subdirectory exists for all users.  If you can not
   guarantee this, then you should leave the default as the user's home
   directory and allow them to configure a personal default in their IMAP
   client.

   The default is not to use any subdirectory.

[end extract]
this worked for me but like i say the docs recomend against it.
Vince

> --
> -Chuck
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Setting Up IMAP

2004-05-12 Thread T Kellers 
On Wednesday 12 May 2004 12:25 pm, Charles Swiger wrote:
> On May 12, 2004, at 9:29 AM, Jason Dusek wrote:

>
> >  Problem 2
> > Kmail allows me accept the bad certificate and logs in succesfully. It
> > then shows me my *entire* home directory, not just the mail folder.
> > Why does this happen?
>
> There may be an option named "IMAP path prefix" which will let you
> change this, or you can recompile the UWash IMAP server after changing
> the default path where mail is kept.

In Kmail, change that IMAP path prefix to /var/mail/your username.

Tim Kellers
CPE/NJIT
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Setting Up IMAP

2004-05-12 Thread Charles Swiger 
On May 12, 2004, at 9:29 AM, Jason Dusek wrote:
 Problem 1
My mail server's certificate 'fails' the authenticity test because it 
is self-assigned. Why is this bad (aren't I *supposed* to get a 
certificate with
 # make cert
in the stunnel port?) and what do I do to get a better certificate?
You can add the certificate of the local CA you used to sign the SSL 
cert to your mail client's list of trusted CAs.

You can also pay a "real CA" like Verisign, enTrust, etc for a 
commercial SSL cert which will be accepted by default, as mail clients 
already know those CAs.

 Problem 2
Kmail allows me accept the bad certificate and logs in succesfully. It 
then shows me my *entire* home directory, not just the mail folder. 
Why does this happen?
There may be an option named "IMAP path prefix" which will let you 
change this, or you can recompile the UWash IMAP server after changing 
the default path where mail is kept.

You'll probably need to go to /usr/ports/mail/cclient, do a "make 
extract", and then cd to work/imap-2002d.  Read docs/CONFIG, 
specificly:

[ ...begin excerpt... ]
 Example 2: suppose you want to change c-client's idea of the
user's mailbox directory to be the "mail" subdirectory of the user's
home directory instead of the user's home directory.  You will want to
change variable mailsubdir, changing the line that reads:
static char *mailsubdir = NIL;  /* mail subdirectory name */
 to be:
static char *mailsubdir = "mail";/* mail subdirectory name */
...and then do a "make deinstall ; make reinstall" from the port's 
directory.

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"