I've been using postfix on a Debian box for a few years. Easy enough to set up but not I'm looking at replacing that box with a SuSE 8.2 box. I figure I can muddle my way through postfix configuration using YAST2 easy enough. But the configuration of cyrus is a little daunting. I have some basic questions and I'm not sure where to begin finding the answers. is cyrus-sasld required for cyrus to function? (appears to be a definite Yes) Authentication: I am attempting to configure my network with PAM_LDAP authentication. Attempting, in that I haven't gotten there yet. But I would also want to be able to create mail accounts for users who are not in my network or may be on a different domain name (two domains on one mail server). Can I do this using LDAP with TLS? (I really don't want plaintext passwords unless it's between my LAN and DMZ) What's the DEFAULT authentication model for cyrus?
hi
I have some basic questions and I'm not sure where to begin finding the answers. Take a look at is cyrus-sasld required for cyrus to function? (appears to be a definite Yes) YES. cyrus-sasl is required. SuSE comes with both (i.e. -imapd and -sasl). Authentication: I am attempting to configure my network with PAM_LDAP authentication. Use saslauthd. Consider using saslauthd directly to the ldapserver. PAM here is only a hassle. Attempting, in that I haven't gotten there yet. But I would also want to be able to create mail accounts for users who are not in my network or may be on a different domain name (two domains on one mail server).
Can I do this using LDAP with TLS? TLS has nothing to do with it. LDAP no problem - define differen usernames and map different domains to them.
(I really don't want plaintext passwords unless it's between my LAN and DMZ) Well, how big is this operation, it might be worth considering some kind of digest-md5 auth. See http://marc.theaimsgroup.com/?l=cyrus-sasl&m=105815526130121&w=2
What's the DEFAULT authentication model for cyrus? Sasl :-)
Tarjei Huse wrote:
hi
I have some basic questions and I'm not sure where to begin finding the answers.
Take a look at
is cyrus-sasld required for cyrus to function? (appears to be a definite Yes)
YES. cyrus-sasl is required. SuSE comes with both (i.e. -imapd and -sasl).
Authentication: I am attempting to configure my network with PAM_LDAP authentication.
Use saslauthd. Consider using saslauthd directly to the ldapserver. PAM here is only a hassle.
Attempting, in that I haven't gotten there yet. But I would also want to be able to create mail accounts for users who are not in my network or may be on a different domain name (two domains on one mail server).
Can I do this using LDAP with TLS?
TLS has nothing to do with it. LDAP no problem - define differen usernames and map different domains to them.
(I really don't want plaintext passwords unless it's between my LAN and DMZ)
Well, how big is this operation, it might be worth considering some kind of digest-md5 auth. See http://marc.theaimsgroup.com/?l=cyrus-sasl&m=105815526130121&w=2
What's the DEFAULT authentication model for cyrus?
Sasl :-)
Thank you for the input. I've made some progress. I have plaintext authentication against my /etc/passwd file. This is not my preferred method of authentication, but it's a working email server and since IMAP is only from the LAN it might be OK. I'm still not sure how to limit a DMZ service to a LAN subnet only. I'm using ipcop as a firewall and have a DMZ of 192.168.0.1/24 and a LAN of 192.168.1../24. Although ipcop does not permit IMAP traffic to the DMZ from the outside, I would prefer to firewall the server to IMAP only from 192.168.1.1/24 as a matter of practice. But that's probably another chapter. Right now I'm still wondering if I should try LDAP authentication, but I have another problem that's even bigger. How do I get spamassassin back into action? It seems that the email that's coming in is not being filtered/scanned for spam. X-Virus-Scanned tags are good, but nothing from X-Spam-Status.
On Sun, 2003-10-12 at 03:45, Tom Allison wrote:
I have plaintext authentication against my /etc/passwd file. This is not my preferred method of authentication, but it's a working email server and since IMAP is only from the LAN it might be OK.
Using plaintext authentication is *always* a security issue, even when working on the LAN. Someone could install a sniffer or spyware. I recommend you implementing Kerberos 5 on your LAN (it's not too difficult) and then enabling Cyrus GSSAPI/Keberos support for cyrus-imapd. That's the way I'm doing it and, since I'm using Kerberos, passwords are never sent out to the network. Additionally, Kerberos allows for single sign-on for those applications (like cyrus-imapd) that use SASL, GSSAPI or Kerberos.
hi,
I have plaintext authentication against my /etc/passwd file. This is not my preferred method of authentication, but it's a working email server and since IMAP is only from the LAN it might be OK. No good, consider using just sasldb if there are just some 5 - 10 users. Right now I'm still wondering if I should try LDAP authentication, but I have another problem that's even bigger. Yes you should try LDAP configuration. Have you got "normal" ldap configuration to work? (i.e. normal user authentication) then you're on the right track. Take a look at directory-admin (www.open-it.org) for an ok admin app.
How do I get spamassassin back into action? It seems that the email that's coming in is not being filtered/scanned for spam. X-Virus-Scanned tags are good, but nothing from X-Spam-Status. ? I have no idea. Have you looked at your logs?
Tarjei
Tarjei Huse wrote:
hi,
I have plaintext authentication against my /etc/passwd file. This is not my preferred method of authentication, but it's a working email server and since IMAP is only from the LAN it might be OK.
No good, consider using just sasldb if there are just some 5 - 10 users.
Right now I'm still wondering if I should try LDAP authentication, but I have another problem that's even bigger.
Yes you should try LDAP configuration. Have you got "normal" ldap configuration to work? (i.e. normal user authentication) then you're on the right track. Take a look at directory-admin (www.open-it.org) for an ok admin app.
I have not.
This is what I run into:
Make sure that ldap started up OK.
The only error I get there is:
daemon: Attempt to listen to 0.0.0.0 failed, already listening on ::,
assuming IPv4 included.
And it finishes with:
daemon: select: listen=13 active_threads=0 tvp=NULL
/etc/openldap/ldap.conf shows a ldap_version 2, changing to 3.
/etc/init.d/ldap restart
(Still get the same error about listening to 0.0.0.0, but the listen=6
this time....)
When I go into YAST, User and group administration, and try to Set
Filter to LDAP I am asked for the BIND password.
(I already set this up on the initial installation yesterday)
and then I get the following in the logs, the process fails every time.
Oct 13 07:15:38 dmz slapd[3384]: daemon: new connection on 12
Oct 13 07:15:38 dmz slapd[3384]: conn=5 fd=12 ACCEPT from
IP=127.0.0.1:1030 (IP=:: 389)
Oct 13 07:15:38 dmz slapd[3384]: daemon: added 12r
Oct 13 07:15:38 dmz slapd[3384]: daemon: activity on:
Oct 13 07:15:38 dmz slapd[3384]:
Oct 13 07:15:38 dmz slapd[3384]: daemon: select: listen=6
active_threads=0 tvp=NULL
Oct 13 07:15:38 dmz slapd[3384]: daemon: activity on 1 descriptors
Oct 13 07:15:38 dmz slapd[3384]: daemon: activity on:
Oct 13 07:15:38 dmz slapd[3384]: 12r
Oct 13 07:15:38 dmz slapd[3384]:
Oct 13 07:15:38 dmz slapd[3384]: daemon: read activity on 12
Oct 13 07:15:38 dmz slapd[3384]: connection_get(12)
Oct 13 07:15:38 dmz slapd[3384]: connection_get(12): got connid=5
Oct 13 07:15:38 dmz slapd[3384]: connection_read(12): checking for input
on id=5
Oct 13 07:15:38 dmz slapd[3384]: ber_get_next on fd 12 failed errno=11
(Resource temporarily unavailable)
Oct 13 07:15:38 dmz slapd[3384]: daemon: select: listen=6
active_threads=1 tvp=NULL
Oct 13 07:15:38 dmz slapd[3460]: do_bind
Oct 13 07:15:38 dmz slapd[3460]: >>> dnPrettyNormal:
Am Samstag, 11. Oktober 2003 13:04 schrieb tallison@tacocat.net:
I've been using postfix on a Debian box for a few years. Easy enough to set up but not I'm looking at replacing that box with a SuSE 8.2 box.
I figure I can muddle my way through postfix configuration using YAST2 easy enough.
But the configuration of cyrus is a little daunting.
I have some basic questions and I'm not sure where to begin finding the answers.
is cyrus-sasld required for cyrus to function? (appears to be a definite Yes)
"cyrus-sasl" or "saslauthd" ? What is "cyrus-sasld"? You need cyrus-sasl to authenticate.
Authentication: I am attempting to configure my network with PAM_LDAP authentication. Attempting, in that I haven't gotten there yet. But I would also want to be able to create mail accounts for users who are not in my network or may be on a different domain name (two domains on one mail server). Can I do this using LDAP with TLS? (I really don't want plaintext passwords unless it's between my LAN and DMZ)
What's the DEFAULT authentication model for cyrus?
What is "model"? The default in Suse-8.2 is to use saslauthd via pam to authenticate. So you could easily configure pam_ldap. And about the cleartext-passwords. "saslauthd" is bound to sasl-auth-mechs like plain and login, which means that you have to send the cleartext-passords, but you could use tls-connections. This should already built in the Suse's Cyrus-IMAPd. -- Andreas
participants (5)
-
Andreas Winkelmann
-
Felipe Alfaro Solana
-
tallison@tacocat.net
-
Tarjei Huse
-
Tom Allison