Pages

Saturday, September 18, 2010

SASL : IMAP authentication system

In this article I am going to take you through cyrus-sasl to built with postfix mail server.So fasten your seat belt for the ride.

SASL stand for Simple Authentication Security Layer and I will integrate it with an IMAP server built with postfix.SASL is defined in RFC-2222.SASL is a means for authenticating yourself to the server without providing your password in the clear. This can also be used to provide extended capabilities based on your authorization. In plainer words, a SASL mechanism can provide authentication only, or it can also provide integrity checking, and possibly encryption as well.

I do not issue any guarantee that this will work for you.

First and foremost thing to get the cyrus-sasl source from here or go to the website dedicated to it.

Ok, I am building it on Gentoo,so I will furnish the steps required to get it work on it.But the prime focus would be to show you how it work.

bhaskar@bhaskar-laptop_08:22:37_Sat Sep 18:~> sudo emerge -av cyrus-sasl
Password:

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild R ] dev-libs/cyrus-sasl-2.1.23-r1 USE="berkdb crypt gdbm ldap pam ssl -authdaemond -java -kerberos -mysql -ntlm_unsupported_patch -postgres -sample -sqlite -srp -urandom" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

Would you like to merge these packages? [Yes/No]


I choose N or no here because I have it already in the system.But when did I have it into the system? lets find out:

bhaskar@bhaskar-laptop_08:47:55_Sat Sep 18:~> sudo genlop -t cyrus-sasl
* dev-libs/cyrus-sasl

Fri Nov 13 18:08:00 2009 >>> dev-libs/cyrus-sasl-2.1.23-r1
merge time: 2 minutes and 5 seconds.


Right! now move on. We need to add an user to operate to manage that software.So here we go:

bhaskar@bhaskar-laptop_08:49:18_Sat Sep 18:~> sudo useradd -g mail cyrus

Now you see the user like this:

bhaskar@bhaskar-laptop_08:49:18_Sat Sep 18:~> id cyrus
uid=110(cyrus) gid=12(mail) groups=12(mail)


Next we change the password of it ,the user cyrus created in the previous steps, like this:

root@bhaskar-laptop_09:02:10_Sat Sep 18:/home/bhaskar # passwd cyrus
Password:
Retype new password:
passwd: password updated successfully


Cool! You can go ahead and test the user before you start to implement other thing with it.So now little bit of placeholders need to created for it.

Creating the necessary directories

This list of instructions will set up all the directories necessary for imap.

1. mkdir /var/adm

2. touch /var/adm/imapd.log /var/adm/auth.log

3. mkdir /var/imap /var/spool/imap /var/imap/srvtab

4. chown cyrus /var/imap /var/spool/imap /var/imap/srvtab

5. chgrp mail /var/imap /var/spool/imap /var/imap/srvtab

6. chmod 750 /var/imap /var/spool/imap /var/imap/srvtab


Pretty easily understandable those commands ,if not please cut and paste it your system to see the effect of it.

Now lets working as user cyrus created earlier..so the chances will be less to intermingle with other thing:

root@bhaskar-laptop_09:12:35_Sat Sep 18:/home/bhaskar # su cyrus

cyrus@bhaskar-laptop_09:12:39_Sat Sep 18:/home/bhaskar>


Now we are going to put some entry into the syslog config file so the logger will take action on it.

bhaskar@bhaskar-laptop_09:18:02_Sat Sep 18:/etc/syslog-ng> sudo vim syslog-ng.conf


and we put into it below lines:

local6.debug /var/adm/imapd.log
auth.debug /var/adm/auth.log


Ok,one more thing to do before I jump into the cyrus thing. We need to edit the file called /etc/imapd.conf,because we are integrating with an imap server.

bhaskar@bhaskar-laptop_09:22:38_Sat Sep 18:~> sudo vim /etc/imapd.conf

Once you are inside the file please add those below line and save the file:

configdirectory: /var/imap
6 partition-default: /var/spool/imap
7 sievedir: /var/imap/sieve
8
9 tls_ca_path: /etc/ssl/certs
10 tls_cert_file: /etc/ssl/cyrus/server.crt
11 tls_key_file: /etc/ssl/cyrus/server.key
12
13 # Don't use an everyday user as admin.
14 admins: cyrus
15
16 hashimapspool: yes
17 allowanonymouslogin: no
18 allowplaintext: no




So these are entry I have put in.As I have ssl cert too!.I have use the sasldb to check my password and the entry look in the file is :

# Use saslauthd if you want to use pam for imap.
27 # But be warned: login with DIGEST-MD5 or CRAM-MD5
28 # is not possible using pam.
29 sasl_pwcheck_method: saslauthd

Now we need to check the services file which reside in /etc directory to hold the information about the system services.We need to look into that file for some specific lines mentioned below:

pop3 110/tcp
imap 143/tcp
imsp 406/tcp
kpop 1109/tcp
sieve 2000/tcp

POP3:

root@bhaskar-laptop_09:36:28_Sat Sep 18:/var/spool # grep pop3 /etc/services
pop3 110/tcp pop-3 # Post Office Protocol - Version 3
pop3 110/udp pop-3
pop3s 995/tcp # pop3 protocol over TLS/SSL
pop3s 995/udp


IMAP:

root@bhaskar-laptop_09:37:15_Sat Sep 18:/var/spool # grep imap /etc/services
imap 143/tcp imap2 # Internet Message Access Protocol
imap 143/udp imap2
imap3 220/tcp # Interactive Mail Access
imap3 220/udp
imaps 993/tcp # imap4 protocol over TLS/SSL
imaps 993/udp

IMSP:

root@bhaskar-laptop_09:37:22_Sat Sep 18:/var/spool # grep imsp /etc/services
imsp 406/tcp # Interactive Mail Support Protocol
imsp 406/udp

KPOP;

root@bhaskar-laptop_09:38:29_Sat Sep 18:/var/spool # grep kpop /etc/services
kpop 1109/tcp # Pop with Kerberos

SIEVE:

root@bhaskar-laptop_09:39:09_Sat Sep 18:/var/spool # grep sieve /etc/services
cisco-sccp 2000/tcp sieve # Cisco SCCP
cisco-sccp 2000/udp sieve


So things are in place.Cool! looks good indeed.Now we need to modify the superserver file called inetd or in modern system called xinetd.



imap stream tcp nowait cyrus /usr/cyrus/bin/imapd imapd
pop3 stream tcp nowait cyrus /usr/cyrus/bin/pop3d pop3d



As I said before that we are going to be integrated with postifx,so need to check out this thing in /etc/postfix/master.cf for the user cyrus :

root@bhaskar-laptop_09:58:51_Sat Sep 18:/etc # grep cyrus /etc/postfix/master.cf
cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}


So in my system it in place but if you don't have this thing set please do that.

Now we need to add the cyrus administrator for the monitoring and administrative works.Here is the steps:

root@bhaskar-laptop_10:12:00_Sat Sep 18:/etc # /usr/sbin/saslpasswd2 cyrus
Password:
Again (for verification):


Now it's time for the testing the server with authentication...so here we go:

cyrus@bhaskar-laptop_10:46:00_Sat Sep 18:/root> cyradm --auth login localhost
verify error:num=18:self signed certificate
IMAP Password:

bhaskar-laptop.localdomain> ?
authenticate, login, auth authenticate to server
chdir, cd change current directory
createmailbox, create, cm create mailbox
deleteaclmailbox, deleteacl, dam remove ACLs from mailbox
deletemailbox, delete, dm delete mailbox
disconnect, disc disconnect from current server
exit, quit exit cyradm
help, ? show commands
info display mailbox/server metadata
listacl, lam, listaclmailbox list ACLs on mailbox
listmailbox, lm list mailboxes
listquota, lq list quotas on specified root
listquotaroot, lqr, lqm show quota roots and quotas for mailbox
mboxcfg, mboxconfig configure mailbox
reconstruct reconstruct mailbox (if supported)
renamemailbox, rename, renm rename (and optionally relocate) mailbox
server, servername, connect show current server or connect to server
setaclmailbox, sam, setacl set ACLs on mailbox
setinfo set server metadata
setquota, sq set quota on mailbox or resource
subscribe, sub subscribe to a mailbox
unsubscribe, unsub unsubscribe from a mailbox
version, ver display version info of current server
xfermailbox, xfer transfer (relocate) a mailbox to a different server


Creating mailbox for the specified user

bhaskar-laptop.localdomain> cm user.bhaskar
bhaskar-laptop.localdomain> lm
user.bhaskar (\HasNoChildren)

Here "lm" stands for list mailbox, which is available by the help command shown above.

Now you can do so many thing with the mail server namely create a user,set quota for their mails box to name a few.Please look at the command enlisted above to utilise it.

Hope this will help.

Cheers!
Bhaskar

No comments:

Post a Comment