493: Undecipherable



-About me-


Cyrus and Exim4 authentification using Kerberos via GSSAPI

Dennis Guse

Today I used my spare time to let the SMTP and the IMAP server of g00se.org using the GSSAPI for authentification. The necessary cyrus-sasl libaries were already installed. So I really don't know which are exactly required. I suppose the cyrus-sasl gssapi libary should meet all requirements. I needed to install the exi4-daemon-heavy instead of the light one. The the heavy one does support authentification using the cyrus-sasl libary. I created the principals imap/g00se.org and smtp/g00se.org and put them into the default keytab.

And modified the configuration files of both services to let them propose GSSAPI as alternate authentification mechanism:

(cyrus): imapd.conf:

1 sasl_mech_list: PLAIN GSSAPI


(exim4): /etc/exim4/conf.d/auth/01exim4-configgssapi

 1 gssapi_server:
 2 driver = cyrus_sasl
 3 public_name = GSSAPI
 4 server_mech = gssapi
 5 server_hostname = g00se.org
 6 #server_realm = G00SE.ORG
 7 server_set_id = $auth1
 9 server_advertise_condition = $\{if eq{$tls_cipher}\{}\{}\{\*}}
10 .endif

Thanks to Sean for a short and easy description.

PS: Exim4 does use the splitted configuration file option of Debian. So you can put the lines anywhere into the authentification section.