493: Undecipherable

-Blog-

-Projects-

-Urlaub-

-About me-

-RSS-

Cyrus and Exim4 authentification using Kerberos via GSSAPI

Dennis Guse

Today I used my spare time to let the SMTP and the IMAP server of g00se.org using the GSSAPI for authentification. The necessary cyrus-sasl libaries were already installed. So I really don't know which are exactly required. I suppose the cyrus-sasl gssapi libary should meet all requirements. I needed to install the exi4-daemon-heavy instead of the light one. The the heavy one does support authentification using the cyrus-sasl libary. I created the principals imap/g00se.org and smtp/g00se.org and put them into the default keytab.

And modified the configuration files of both services to let them propose GSSAPI as alternate authentification mechanism:

(cyrus): imapd.conf:

1  sasl_mech_list: PLAIN GSSAPI

and

(exim4): /etc/exim4/conf.d/auth/01exim4-configgssapi

 1  gssapi_server:
 2  driver = cyrus_sasl
 3  public_name = GSSAPI
 4  server_mech = gssapi
 5  server_hostname = g00se.org
 6  #server_realm = G00SE.ORG
 7  server_set_id = $auth1
 8  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 9  server_advertise_condition = $\{if eq{$tls_cipher}\{}\{}\{\*}}
10  .endif

Thanks to Sean for a short and easy description.

PS: Exim4 does use the splitted configuration file option of Debian. So you can put the lines anywhere into the authentification section.