Cyrus and Exim4 authentification using Kerberos via GSSAPI
Dennis GuseToday I used my spare time to let the SMTP and the IMAP server of g00se.org using the GSSAPI for authentification. The necessary cyrus-sasl libaries were already installed. So I really don’t know which are exactly required. I suppose the cyrus-sasl gssapi libary should meet all requirements. I needed to install the exi4-daemon-heavy instead of the light one. The the heavy one does support authentification using the cyrus-sasl libary. I created the principals imap/g00se.org and smtp/g00se.org and put them into the default keytab.
And modified the configuration files of both services to let them propose GSSAPI as alternate authentification mechanism:
(cyrus): imapd.conf:
1
sasl_mech_list: PLAIN GSSAPI
and
(exim4): /etc/exim4/conf.d/auth/01_exim4-config_gssapi
1
2
3
4
5
6
7
8
9
10
gssapi_server:
driver = cyrus_sasl
public_name = GSSAPI
server_mech = gssapi
server_hostname = g00se.org
#server_realm = G00SE.ORG
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = $\{if eq{$tls_cipher}\{}\{}\{\*}}
.endif
Thanks to Sean for a short and easy description.
PS: Exim4 does use the splitted configuration file option of Debian. So you can put the lines anywhere into the authentification section.