From: Dennis Davis (no email)
Date: Thu Jul 06 2006 - 07:58:02 EDT
On Thu, 6 Jul 2006, Phil Pennock wrote:
> From: Phil Pennock <>
> To:
> Date: Thu, 6 Jul 2006 02:02:01 +0200
> Subject: Mapping users (either KerberosV or TLS certs)
...
Can't answer any of your questions, which I've deleted. Although
I'm using Cyrus with Kerberos5 so I'll probably look at the "admin"
question sometime in the far off future...
> Here's the config; I know that keytab's not actually used with GSSAPI,
> but I leave it in as harmless
I can't find a "keytab" option in the imapd.conf manual page.
There's a srvtab option, but that applies to Kerberos4 which you
aren't using.
> -- I set $KRB5_KTNAME in the rc startup config, which works with
> Heimdal:
It will also work with MIT's Kerberos5, but see below.
> ----------------------------8< cut here >8------------------------------
> configdirectory: /home/imap/configs
> partition-default: /home/imap/mail
> sievedir: /home/imap/configs/sieve
> tls_cert_file: /etc/cyrusimapd/domus-imapserver.crt.pem
> tls_key_file: /etc/cyrusimapd/domus-imapserver.key.pem
> tls_ca_path: /etc/ssl/certs/
> tls_ca_file: /usr/share/ca-certificates/globnix/globnixCA.pem
> tls_cipher_list: ALL:!ADH:!EXP:+HIGH:+MEDIUM:!SSLv2:@STRENGTH
I use:
# Insist on "proper", rather than "mickey-mouse", ciphers. We'll
# expect to see high (key length > 128 bits) or medium (key length
# of 128 bits) ciphers, sorted by strength.
tls_cipher_list: HIGH:MEDIUM:@STRENGTH
Is there a reason I'm probably missing for the "!SSLv2" ? I thought
the client and server negotiated the highest strength cipher that's
mutually acceptable. So it should all come out in the wash. For
example pointing pine at my experimental IMAP server I usually see:
Jul 6 12:48:32 bahamontes imap[25303]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication
Jul 6 12:48:32 bahamontes imap[25303]: login: hinault.bath.ac.uk [138.38.52.28] ccsdhd GSSAPI+TLS User logged in
which looks OK to me.
> admins: cyrus xxx-admin xxx/admin xxx/
> umask: 027
> hashimapspool: yes
> allowanonymouslogin: no
> allowplaintext: no
> mboxlist_db: skiplist
> seenstate_db: flat
> unixhierarchysep: yes
> sasl_minimum_layer: 0
> sasl_mech_list: external gssapi digest-md5 cram-md5
> keytab: /etc/kerberos/tabs/imapd.keytab
See above. I'm fairly sure there's no "keytab" option. However you
can set "sasl_keytab" to indicate where your Kerberos5 keytab lives:
So my configuration reads:
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain gssapi
# We'll set sasl_keytab, instead of starting the master process with
# a command line of the form:
#
# KRB5_KTNAME=/var/imap/krb5.keytab /usr/local/libexec/cyrus-imapd/master &
sasl_keytab: /var/imap/krb5.keytab
> altnamespace: yes
> userprefix: Other Users
> sharedprefix: Shared Folders
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
Phone: +44 1225 386101
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
|
|
|