Cyrus + SASL2 + LDAP + automatic account creation

What I first thought would be several hours work, became two days worth of work. Therefor I decided to explain some things here, so others can benefit from the time I spent.

First, let me explain what we want to achieve. The Cyrus Project has several deamons to distribute mail with. The nice thing about Cyrus in particular, in my opinion, is SIEVE, a protocol to filter mail on the server when it arrives. There are some other benefits, of course, but SIEVE was the primary reason for us to implement Cyrus at this customer site.

The first thing we noted was the steps that had to be taken to create new mailboxes. Apparantly, you'd have to create each mailbox by hand and since we're implementing LDAP too, that would be nasty, since we'd had to script it into phpLDAPAdmin, the programme we use to let the customer create the employee accounts by themselves. Since Cyrus would need a password, we had to hardcode it in the phpLDAPAdmin template, which is most definatly insecure, or have the customer insert the password each and every time he added or deleted an account, which is a drag.

Luckily, there's a solution, created by the University of Athens. It's a patch to have Cyrus autocreate the mailboxes on succesful login or when an email arrives for that user (a user that exists in our LDAP-database, of course).

Alas, Debian Sarge doesn't have that patch included in their distribution, so I had to work for about a day and a half to make my own packages to have this working. In the future I'll probably distribute them in an apt-able repository, for now you'll have to download them yourselves:

Now, I'm not a pro in building Debian-packages, but these work on our system. If you want to build the packages yourself, do a apt-get source cyrus21-imapd and apply this patch. It contains every change I made to the original package, including the changelog and everything. If you fix mistakes I made, be sure to send me your own patch :)

Also, to install the packages, make sure you don't have any other cyrus package installed already. Do a apt-get remove on all of them and then install these new packages.

Now, for how to change your configuration so it'll work correctly:

SASL configuration

I'm not saying I completely understand the way this works, but I'll tell you the steps I took to make this work.

  1. After installing the packages, I editted /etc/pam.d/imap and added the following on the TOP of that file (after the normal comments):
    auth sufficient /lib/security/pam_ldap.so account sufficient /lib/security/pam_ldap.so
  2. Then I edited /etc/default/saslauthd and uncommented the line:
    #START=yes
    (remove the # in front of that line)
  3. Run: /etc/init.d/saslauthd start as root (we use sudo for that, use it too, saves you a lot of trouble).

Right, if all is well, we now have saslauthd running. Let's move on to IMAPd.

Cyrus IMAPd

Okay, this is some tricky stuff, because we're going to make things unsafer. The best thing is to have IMAP eventually work only over an SSL-encrypted connection (imaps). The thing is, SASL can't use CRAM-MD5 or any other form of encryption when retrieving the passwords from LDAP. That's because our LDAP setup stores the passwords in ssha hashes, not in md5. Those are (of course) incompatible and so the server has no way of authenticating a md5 password. We'll have to use plaintext passwords. And that's why you want to use imaps instead of unencrypted imap. I'm not going to explain how to have Cyrus do imaps here, you'll have to figure that out on your own (lots of docs online, though).

These are the steps to take to have Cyrus IMAPd use the correct authentication method (ie. SASL2 using the LDAP backend):

  1. Edit /etc/imapd.conf and change the following settings:
    sasl_mech_list: PLAIN sasl_pwcheck_method: saslauthd
  2. If you don't want to create every mailbox in Cyrus by hand, but have mailboxes automatically created when a user succesfully authenticates, change/add the following lines in /etc/imapd.conf:
    autocreatequota: -1 autocreateinboxfolders: Sent | Drafts | Trash | Spam
    The '-1' doesn't put a maximum on the folders that are created, but does allow autocreation.
  3. Restart Cyrus with /etc/init.d/cyrus21 restart as root.

Okay, that should be it.

Test the setup

We're going to use imtest for that. Change 'cvd' in the user that's available in LDAP that you want to authenticate with.

imtest -a cvd localhost

You'll get a lot of text which end in the question for your password. Give it to the server and it should respond with:

S: L01 OK User logged in Authenticated. Security strength factor: 0

You can leave with Ctrl+d. Check /var/spool/cyrus/mail to see if the mailbox is created.

This should be it. Does it work for you? Leave a comment! It doesn't work for you? Ask a question in the comments :) Either way, I like comments :)

Comments

Comments powered by Disqus