On Thu, 6 Jul 2006, Phil Pennock wrote: > From: Phil Pennock <info-cyrus-spodhuis@xxxxxxxxxxxx> > To: info-cyrus@xxxxxxxxxxxxxxxxxxxx > Date: Thu, 6 Jul 2006 02:02:01 +0200 > Subject: Mapping users (either KerberosV or TLS certs) ... Can't answer any of your questions, which I've deleted. Although I'm using Cyrus with Kerberos5 so I'll probably look at the "admin" question sometime in the far off future... > Here's the config; I know that keytab's not actually used with GSSAPI, > but I leave it in as harmless I can't find a "keytab" option in the imapd.conf manual page. There's a srvtab option, but that applies to Kerberos4 which you aren't using. > -- I set $KRB5_KTNAME in the rc startup config, which works with > Heimdal: It will also work with MIT's Kerberos5, but see below. > ----------------------------8< cut here >8------------------------------ > configdirectory: /home/imap/configs > partition-default: /home/imap/mail > sievedir: /home/imap/configs/sieve > tls_cert_file: /etc/cyrusimapd/domus-imapserver.crt.pem > tls_key_file: /etc/cyrusimapd/domus-imapserver.key.pem > tls_ca_path: /etc/ssl/certs/ > tls_ca_file: /usr/share/ca-certificates/globnix/globnixCA.pem > tls_cipher_list: ALL:!ADH:!EXP:+HIGH:+MEDIUM:!SSLv2:@STRENGTH I use: # Insist on "proper", rather than "mickey-mouse", ciphers. We'll # expect to see high (key length > 128 bits) or medium (key length # of 128 bits) ciphers, sorted by strength. tls_cipher_list: HIGH:MEDIUM:@STRENGTH Is there a reason I'm probably missing for the "!SSLv2" ? I thought the client and server negotiated the highest strength cipher that's mutually acceptable. So it should all come out in the wash. For example pointing pine at my experimental IMAP server I usually see: Jul 6 12:48:32 bahamontes imap[25303]: starttls: TLSv1 with cipher AES256-SHA (256/256 bits new) no authentication Jul 6 12:48:32 bahamontes imap[25303]: login: hinault.bath.ac.uk [138.38.52.28] ccsdhd GSSAPI+TLS User logged in which looks OK to me. > admins: cyrus xxx-admin xxx/admin xxx/admin@xxxxxxxxx > umask: 027 > hashimapspool: yes > allowanonymouslogin: no > allowplaintext: no > mboxlist_db: skiplist > seenstate_db: flat > unixhierarchysep: yes > sasl_minimum_layer: 0 > sasl_mech_list: external gssapi digest-md5 cram-md5 > keytab: /etc/kerberos/tabs/imapd.keytab See above. I'm fairly sure there's no "keytab" option. However you can set "sasl_keytab" to indicate where your Kerberos5 keytab lives: So my configuration reads: sasl_pwcheck_method: saslauthd sasl_mech_list: plain gssapi # We'll set sasl_keytab, instead of starting the master process with # a command line of the form: # # KRB5_KTNAME=/var/imap/krb5.keytab /usr/local/libexec/cyrus-imapd/master & sasl_keytab: /var/imap/krb5.keytab > altnamespace: yes > userprefix: Other Users > sharedprefix: Shared Folders -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK D.H.Davis@xxxxxxxxxx Phone: +44 1225 386101 ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
