= Cyrus = '''Cyrus''' is a '''SASL''' ('''Simple Authentication and Security Layer''') server. <> ---- == Installation == Most [[Linux]] and [[BSD]] distributions offer a `cyrus-sasl` package. Distributions such as [[Linux/Alpine|Alpine Linux]] have split out each plugin and mechanism into [[https://pkgs.alpinelinux.org/packages?name=cyrus-*|separate packages]]. ---- == Usage == Cyrus can be used in to modes: as a server (`saslauthd(8)`) and as a static database that can be read by external processes ("auxiliary properties"). ---- === Server === To use `saslauthd(8)` for authenticating [[Email/SMTP|emails]], try: {{{ pwcheck_method: saslauthd mech_list: PLAIN LOGIN }}} Start the server while hooking into `/etc/shadow` with: {{{ saslauthd -a shadow }}} Or alternatively, start the server while hooking into [[Linux/PAM|PAM]] with: {{{ saslauthd -a pam }}} The PAM configuration (typically located at `/etc/pam.d/smtpd`) needs to look like: {{{ #%PAM-1.0 auth required pam_unix.so account required pam_unix.so }}} Test the authentication server like: {{{ testsaslauthd -u USERNAME -p PASSWD }}} ---- === Auxiliary Properties === To use a static database for authenticating emails, try: {{{ pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM }}} The `mech_list` is a filter on which SMTP mechanisms are supported. The mail server will take this list and advertise it. There may be further, external restrictions on which mechanisms may be used when; i.e. disallowing plaintext authentication without an [[Encryption/TLS|encrypted connection]]. The `sasldb` format is a custom binary database, which should be managed by `saslpasswd2(8)` and `sasldblistusers2(8)`. {{{ # Create saslpasswd2 -c -u domain.example.com USERNAME # List registered logins sasldblistusers2 # Delete saslpasswd2 -d -u domain.example.com USERNAME }}} ==== SQL ==== To use a [[SQL]] database as an auxiliary property, try: {{{ pwcheck_method: auxprop auxprop_plugin: sql mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM sql_engine: pgsql sql_hostnames: 127.0.0.1, 192.0.2.1 sql_user: DBUSERNAME sql_passwd: DBPASSWD sql_database: DBNAME sql_select: SELECT password FROM users WHERE user = '%u@%r' }}} Specify `sql_hostnames` as `localhost` for a [[Linux/Networking#Unix_Sockets|socket]], or `127.0.0.1` for a [[Protocols/TCP|TCP]] connection. Only [[PostgreSQL|pgsql]], [[MySQL|mysql]], and [[Sqlite|sqlite]] options are supported for `sql_engine`. ==== LDAP ==== To use a [[Protocols/LDAP|LDAP]] database as an auxiliary property, try: {{{ pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5 ldapdb_uri: ldap://localhost ldapdb_id: proxyuser ldapdb_pw: password ldapdb_mech: DIGEST-MD5 }}} Specify `ldapdb_uri` as `ldapi://...` for a [[Linux/Networking#Unix_Sockets|socket]], `ldap://...` for a TCP connection, or `ldaps://` for an encrypted TCP connection. ---- == See also == [[https://man.archlinux.org/man/extra/cyrus-sasl/saslauthd.8|saslauthd(8)]] [[https://man.archlinux.org/man/saslpasswd2.8|saslpasswd2(8)]] ---- CategoryRicottone