Cyrus and Exim4 authentification using Kerberos via GSSAPI
Dennis GuseToday I used my spare time to let the SMTP and the IMAP server of g00se.org using the GSSAPI for authentification. The necessary cyrus-sasl libaries were already installed. So I really don't know which are exactly required. I suppose the cyrus-sasl gssapi libary should meet all requirements. I needed to install the exi4-daemon-heavy instead of the light one. The the heavy one does support authentification using the cyrus-sasl libary. I created the principals imap/g00se.org and smtp/g00se.org and put them into the default keytab.
And modified the configuration files of both services to let them propose GSSAPI as alternate authentification mechanism:
(cyrus): imapd.conf:
1 sasl_mech_list: PLAIN GSSAPI
and
(exim4): /etc/exim4/conf.d/auth/01exim4-configgssapi
1 gssapi_server:
2 driver = cyrus_sasl
3 public_name = GSSAPI
4 server_mech = gssapi
5 server_hostname = g00se.org
6 #server_realm = G00SE.ORG
7 server_set_id = $auth1
8 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
9 server_advertise_condition = $\{if eq{$tls_cipher}\{}\{}\{\*}}
10 .endif
Thanks to Sean for a short and easy description.
PS: Exim4 does use the splitted configuration file option of Debian. So you can put the lines anywhere into the authentification section.