On Fri, 27 May 2005, carole gimenez wrote:
Hi all,
I use cyrus-imapd-2.2.10, cyrus-sasl-2.1.20 and openldap-2.2.18.
I authenticate users with need of our ldap server. For that, i use saslauthd
daemon with the plain mechanism.
Is the password user encrypted or does it pass in cleartext between
cyrus-imap server and ldap server?
It is passed in clear text when you use the PLAIN mech.
Mail client (imaps)<==> cyrus-imap server <=> cyrus-sasl server <=> ldap
server
You transport protect the password from the mail client to the cyrus-imap
server. Things are not protected between saslauthd and the ldap server.
(You are OK if both saslauthd and ldap server are on the same host
although some consider this type of setup a potential security
vulnerability)
Can somebody clear up me the ideas and explain me the mechanism?
Please read cyrus documentation: $cyrus-(imapd|sasl)-src/doc
-Igor
Thanks for advance.
Here the differents configuration files of cyrus-imap and cyrus-sasl:
* /usr/lib/sasl2/Cyrus.conf
pwcheck_method: saslauthd
mech_list: plain
* /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/ ldap://xxxxx:389/
ldap_auth_method: custom
ldap_bind_dn: uid=cyrus,ou=appli,dc=ups-tlse,dc=fr
ldap_password: xxxxxx
ldap_search_base: dc=ups-tlse,dc=fr
#ldap_filter: cn=%u
* /etc/cyrus.conf
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# idled cmd="idled"
# this is useful on backend nodes of a Murder cluster
# it causes the backend to syncronize its mailbox list with
# the mupdate master upon startup
# mupdatepush cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_mboxlist -m"
# this is recommended if using duplicate delivery suppression
delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3"
# this is recommended if caching TLS sessions
tlsprune cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
# you can use a maxchild=# to limit the maximum number of forks of a service
# you can use babysit=true and maxforkrate=# to keep tight tabs on the
service
# most services also accept -U (limit number of reuses) and -T (timeout)
SERVICES {
# add or remove based on preferences
#imap cmd="imapd" listen="imap" prefork=0
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s -U 30" listen="130.120.74.17:imaps"
prefork=0 maxchild=100
# pop3 cmd="pop3d" listen="pop3" prefork=0
# pop3s cmd="pop3d -s" listen="pop3s" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=0
# nntps cmd="nntpd -s" listen="nntps" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
maxchild=20
# this is only necessary if using notifications
notify cmd="notifyd" listen="/var/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_cyrusdb -c"
period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
# delprune cmd="cyr_expire -E 3" at=0400
delprune cmd="/usr/local/cyrus_imapd/cyrus/bin/ctl_deliver -E 3" at=0401
# this is only necessary if caching TLS sessions
tlsprune cmd="/usr/local/cyrus_imapd/cyrus/bin/tls_prune" at=0401
squatter cmd="/usr/local/cyrus_imapd/cyrus/bin/squatter -r user.%" at=0401
}
* /etc/imapd-local.conf (for cyrus account administration)
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
#allowplaintext: 0
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
sasl_auto_transition: 1
servername: pc-systeme.cict.fr
lmtp_downcase_rcpt: 1
mailnotifier: log
* /etc/imapd.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
#admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
sasl_auto_transition: 1
servername: pc-systeme.cict.fr
lmtp_downcase_rcpt: 1
mailnotifier: log
tls_ca_file: /usr/share/ssl/mon_AC/private/mon_AC.crt
tls_cert_file: /usr/share/ssl/mon_AC/certs/server_signed.pem
tls_key_file: /usr/share/ssl/mon_AC/private/server_tls.pem
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
