Bug#108942: The saga of cyrus2-imapd continues

To: Bug 108942 <108942@bugs.debian.org>, "Sam Hartman, libpam0g maintainer" <hartmans@debian.org>
Cc: ddkilzer@theracingworld.com
Subject: Bug#108942: The saga of cyrus2-imapd continues
From: "David D. Kilzer" <ddkilzer@theracingworld.com>
Date: Wed, 7 Nov 2001 14:41:26 -0600
Message-id: <[🔎] 20011107144126.D28995@elbonia.lubricants-oil.com>
Reply-to: "David D. Kilzer" <ddkilzer@theracingworld.com>, 108942@bugs.debian.org

I finally got cyrus2-imapd to authenticate an account, but I had to use
"sasldb" instead of "PAM" for "sasl_pwcheck_method" in /etc/imapd.conf.

It appears that until PAM-0.74 is available in "unstable", cyrus2-imapd
won't be able to authenticate using it.  I thought about filing a "new
upstream version" bug against libpam0g, but I know there has been some
discussion about how to handle new versions of PAM in Debian.  I just
can't seem to find the correct mailing list archive or web page that 
describes this.

It would be nice to be able to have Cyrus do a two-level check, first on
real accounts via PAM, then on virtual accounts via SASL, then return an
unknown user error, but I don't know enough about PAM, SASL or Cyrus to
create a patch (yet).

I tried copying the included /etc/pam.d/cyrus to /etc/pam.d/pop and to
/etc/pam.d/imap to get Cyrus to authenticate against PAM.  This didn't
work.  That file looked like this:

------- /etc/pam.d/cyrus

# PAM configuration file for Cyrus
#
# If you want to use Cyrus in a setup where users don't have
# accounts on the local machine, you'll need to make sure
# you use something like pam_permit for account checking.
#
# Also, take a look into libpam-ldap, libpam-mysql/libpam-pgsql
# and libpam-pwdfile. They're likely to be helpful aid for creating
# a closed-box email system.
#

auth	required	pam_unix.so nullok
account	required	pam_unix.so

------- End of /etc/pam.d/cyrus

I also tried using the /etc/pam.d/pop and /etc/pam.d/imap (the files are
identical; see below) that came with the 2.0.16 RPMs on
<http://rmrpms.tripod.com/cyrus-imapd/> without any luck (since 
pam_stack.so is a part of PAM-0.74).

------- /etc/pam.d/[pop|imap]

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth

------- End of /etc/pam.d/[pop|imap]

I finally did the following to create an /etc/sasldb file:

$ ssh root@localhost
# saslpasswd ddkilzer
Password:
Again (for verification):
# exit

This was done long after running "cyradm" to create a mailbox for
ddkilzer ("cm user.ddkilzer").

After creating the sasldb (and changing /etc/imapd.conf and restarting
cyrmaster), logging into the POP server through telnet worked great, and
I could connect to the imapd using mutt.  I know this isn't the ideal
setup, but it's what I'll use for now.

Hope this still helps!

Dave

Reply to:

Follow-Ups:
- Bug#108942: The saga of cyrus2-imapd continues
  - From: Sam Hartman <hartmans@MIT.EDU>

Prev by Date: Bug#118427: TP: epo -- Miner mode to reduce the labour to edit code
Next by Date: Bug#108942: The saga of cyrus2-imapd continues
Previous by thread: Processed: mingetty
Next by thread: Bug#108942: The saga of cyrus2-imapd continues
Index(es):
- Date
- Thread