Re: [Imap-uw] sasl authentication

Fri, 17 Jun 2005 14:28:08 -0700 

On Fri, 17 Jun 2005, Mark Brand wrote:

I would like advice about how to do the following:
-use PAM to check usernames and passwords



PAM is already set as the authentication mechanism on some of the Linux 
based builds (lnp, ldb, lmd, lrh, lsu) and the oxp build in Mac OS X.


For other systems, add either:
        PASSWDTYPE=pam

or, if you have the misfortune of using Solaris or other systems with a 
defective PAM implementation:

        PASSWDTYPE=pmb
to the make command line.  For example:
        make bsf PASSWDTYPE=pam
        make soc PASSWDTYPE=pmb


Note that you have to set up imap and pop rules for PAM in /etc/pam.d.  On 
my system, I just copied /etc/pam.d/ftpd to /etc/pam.d/imap and 
/etc/pam.d/pop.  If you want to use some other database (e.g. LDAP) you 
will need to modify these files.



Of course, you do have to have PAM installed on your system before you can 
use it.  PAM is not part of UW imapd; it is a separate and completely 
independent package.



-negotiate passwords securely
-negotiate authentication without letting snoops steal passwords (Isn't
this the same as the last point?
-avoid having to encrypt the the whole session (imaps)



The first two are the same, and the answer contradicts with the third. 
That is, you either uses SSL (connect on the imaps port) or use you TLS 
(connect on the imap port, and then negotiate STARTTLS).



By default, UW imapd is set up that a client must do one or the other; it 
is not permitted to do a password authentication unless SSL/TLS encryption 
has been negotiated first.  This is set by the default setting of SSLTYPE 
as:

        SSLTYPE=nopwd

The non-default setting:
        SSLTYPE=unix

builds with SSL/TLS support, but allows passwords without encryption 
(which is, of course, unsafe).  The non-default setting:

        SSLTYPE=none
builds without SSL/TLS support.


Cyrus SASL with SSL/TLS is widely used for client authentication by
postfix. I think I'm looking for how to do this with imapd.



Hopefully, you're realizing that the equivalent is essentially already 
done for you; the capabilities already exist in UW imapd.  It may, in 
fact, be done and installed on your system without you knowing it; since 
you would have had to build UW imapd in a non-standard way to prevent it 
from happening.


-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw






















					Reply via email to