[plug] [OT] Local-user IMAP

Craig Ringer craig at postnewspapers.com.au
Wed Sep 1 13:19:48 WST 2004 

On Wed, 2004-09-01 at 08:28, Marc Wiriadisastra wrote:
> Our mail imap server is now dovecot.  It wasn't that hard to setup but I 
> believe it uses the current users on the system to authenticate.  e.g. 
> the passwd file where as cyrus can be setup to run like a hotmail or 
> webmail but separate to the users on the system.

Yep.

> I'm not 100% with your 
> question but since cyrus was /too/ hard to setup

Yeah, SASL is ... interesting. It does the job well, but it's very much
nuking a fly territory when all you want to do is get Cyrus to use PAM
to authenticate valid local users. Frankly, it's not actually very
difficult once you understand how it works and fits together. With some
simple documentation on common SASL configurations, it'd be trivial to
get it all going.

I've been telling myself for a while that I need to write something like
that up for the Cyrus wiki. I'll get on to that this week I think.

Quick and dirty setup guide for getting Cyrus to authenticate against
PAM:

----------------
/etc/imapd.conf:
----------------
allowplaintext: yes
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd
# If you want to permit unencrypted connections to use
# PLAIN then set this, too:
sasl_minimum_layer: 0

----------------
/etc/pam.d/imap:
----------------
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth

----------------
Repeat for /etc/pam.d/pop if used.

Now run saslauthd as:

	saslauthd -a pam

and you should be able to log in with any valid PAM user. If you run
into problems with saslauthd processes growing indefinitely, run
saslauthd as:
	saslauthd -a pam -n 0
because one or more of your PAM modules is leaking like a sieve so
saslauthd must not hang around for multiple connections. This is a known
problem in at least pam_mysql.


Once you have authentication set up, just create your mailboxes (note:
there is a cyrus autocreate mailbox patch around somewhere) and set your
MTA up to deliver to Cyrus.

>  and dovecot suited what 
> we needed we installed that.   The only complaint as such of dovecot is 
> the amount that it spits out into logs.

You should be able to control that with either directives in the dovecot
configuration or using syslogd.conf . Generally logging at 'info' is
sensible on a production server that's not too large.

--
Craig Ringer

More information about the plug mailing list