Cyrus

Cyrus is a SASL (Simple Authentication and Security Layer) server.

Contents

  1. Cyrus
    1. Installation
    2. Usage
      1. Server
      2. Auxiliary Properties
        1. SQL
        2. LDAP
    3. See also

Installation

Most Linux and BSD distributions offer a cyrus-sasl package.

Distributions such as Alpine Linux have split out each plugin and mechanism into separate packages.

Usage

Cyrus can be used in to modes: as a server (saslauthd(8)) and as a static database that can be read by external processes ("auxiliary properties").

Server

To use saslauthd(8) for authenticating emails, try: 

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Start the server while hooking into /etc/shadow with: 

saslauthd -a shadow

Or alternatively, start the server while hooking into PAM with: 

saslauthd -a pam

The PAM configuration (typically located at /etc/pam.d/smtpd) needs to look like: 

#%PAM-1.0
auth            required        pam_unix.so
account         required        pam_unix.so

Test the authentication server like: 

testsaslauthd -u USERNAME -p PASSWD

Auxiliary Properties

To use a static database for authenticating emails, try: 

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM

The mech_list is a filter on which SMTP mechanisms are supported. The mail server will take this list and advertise it. There may be further, external restrictions on which mechanisms may be used when; i.e. disallowing plaintext authentication without an encrypted connection.

The sasldb format is a custom binary database, which should be managed by saslpasswd2(8) and sasldblistusers2(8). 

# Create
saslpasswd2 -c -u domain.example.com USERNAME

# List registered logins
sasldblistusers2

# Delete
saslpasswd2 -d -u domain.example.com USERNAME

SQL

To use a SQL database as an auxiliary property, try: 

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
sql_engine: pgsql
sql_hostnames: 127.0.0.1, 192.0.2.1
sql_user: DBUSERNAME
sql_passwd: DBPASSWD
sql_database: DBNAME
sql_select: SELECT password FROM users WHERE user = '%u@%r'

Specify sql_hostnames as localhost for a socket, or 127.0.0.1 for a TCP connection.

Only pgsql, mysql, and sqlite options are supported for sql_engine.

LDAP

To use a LDAP database as an auxiliary property, try: 

pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
ldapdb_uri: ldap://localhost
ldapdb_id: proxyuser
ldapdb_pw: password
ldapdb_mech: DIGEST-MD5

Specify ldapdb_uri as ldapi://... for a socket, ldap://... for a TCP connection, or ldaps:// for an encrypted TCP connection.

See also

saslauthd(8)

saslpasswd2(8)

CategoryRicottone

Cyrus (last edited 2023-06-29 15:39:38 by DominicRicottone)