1

I use a web sso portal which provides cas tickets. I "cassify" my webmail and my imap server (cyrus-imapd).

When I fetch my emails from the Webmail (proxy CAS), it's ok. Except if I fetch my emails with a classic IMAP client and I try to fetch again from the Webmail, I have bad authentications.

It seems it's a known problem. Indeed (if I understand well) the sasl cache got at the begining a PT like password (from webmail), and after a password (from classic IMAP client). I don't found the good way to correct it. That's why I post my question here. I tried with pam_ccreds but I still have a lot of authentication errors into the mail.log.

So I try to use 2 instances of saslauthd and 2 imap services. Below the OS and Software configuration :

  • OS : Debian 8
  • sasl2-bin : 2.1.26.dfsg1-13
  • cyrus-imapd : 2.4.17+caldav~beta10-18

Below my attempt configuration :

  • /etc/default/saslauthd

    START=yes
    DESC="SASL Authentication Daemon"
    NAME="saslauthd"
    MECHANISMS="pam"
    THREADS=5
    OPTIONS="-c -m /var/run/saslauthd/mux -r -n 0"
    
  • /etc/default/saslauthd-web

     START=yes
     DESC="SASL Authentication Daemon"
     NAME="saslauthd"
     MECHANISMS="pam"
     THREADS=5
     OPTIONS="-c -m /var/run/saslauthd/muxweb -r -n 0"
    
  • /etc/pam.d/imapweb

    auth sufficient /lib/x86_64-linux-gnu/security/pam_cas.so -simap://mail.example.com -f/etc/pam_cas.conf
    auth sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf
    auth sufficient /lib/x86_64-linux-gnu/security/pam_unix.so
    account sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf
    
  • /etc/pam.d/imap

    auth sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf
    auth sufficient /lib/x86_64-linux-gnu/security/pam_unix.so
    account sufficient /lib/x86_64-linux-gnu/security/pam_ldap.so config=/etc/pam_ldap_imap.conf
    
  • /etc/cyrus.conf

    imap cmd="imapd -U 30" listen="X.X.X.X:imap" prefork=0 maxchild=100
    imapweb cmd="imapd -U 30 -C /etc/imapdweb.conf" listen="X.X.X.X:IMAPWEBPORT" prefork=0 maxchild=100
    
  • /etc/imapd.conf

    ...
    sasl_pwcheck_method: auxprop saslauthd
    imap_sasl_saslauthd_path: /var/run/saslauthd/mux
    imapweb_sasl_saslauthd_path: /var/run/saslauthd/muxweb
    sasl_auxprop_plugin: sasldb
    ...
    

I restart saslauthd and cyrus-imapd services.

When I run a testsaslauthd command with the each saslauthd socket it runs very well :

testsaslauthd -u USER -p PASSWORD -f /var/run/saslauthd/mux/mux -s imap
0: OK "Success."
testsaslauthd -u USER -p PASSWORD -f /var/run/saslauthd/muxweb/mux -s imapweb
0: OK "Success."

But when I run a telnet on the imap port on my imap-server from my webmail host, the authentication failed. On the imapweb port it is the same. However into the imap log, I see the stacktrace which show I use the good imap service (imap for imap port and imapweb for "IMAPPORTWEB")

Do you have an idea, which explains why my authentication doesn't work ? Is the right method to accept both CAS and classic IMAP access ?

sebix
  • 4,175
  • 2
  • 25
  • 45

0 Answers0