Paranoid Penguin - Secure Mail with LDAP and IMAP, Part II

An IMAP mail server with an LDAP directory makes things simple, secure and easy for the user. Now Mick explains the tricky parts to make you the company e-mail guru.

In the first part of this series on using LDAP with the Cyrus IMAP mail delivery server (LJ, November 2003), we got as far as installing and setting up Cyrus IMAP and Cyrus SASL. In this article, we add some users to Cyrus IMAP and configure Postfix to deliver mail to the Cyrus IMAP server.

Cyrus IMAP Documentation

Before we dive back in to Cyrus IMAP configuration and administration, a note about documentation. Cyrus IMAP comes with an administrator's manual in HTML format. In the SuSE distribution, the manual is in /usr/share/doc/packages/cyrus-imapd/doc, and in Simon Matter's Red Hat SRPM distribution (see Part I of this article) it's in /usr/share/doc/cyrus-imapd-2.1.12. The link misleadingly labeled Installation actually leads not only to Cyrus installation instructions but to configuration and administration instructions as well. Besides this documentation, several man pages also are included with Cyrus IMAP, most notably imapd.conf(5), imapd(8) and cyradm(1).

In addition to Cyrus IMAP's included documentation, I recommend the book Managing IMAP by Dianna and Kevin Mullet (O'Reilly & Associates, 2000). As far as I know, it's the only book dedicated to IMAP. Although its coverage of Cyrus IMAP doesn't extend to LDAP, it's a well-written book that clearly explains IMAP concepts and Cyrus IMAP administration; it also covers UW-IMAP in some detail.

Using cyradm

Cyrus IMAP comes with a Perl script, cyradmn, that provides the most convenient way to create and manage user mailboxes. You should understand several things before using cyradm. First, you should run cyradm from any account with which you also read e-mail. In other words, you never should use an IMAP administrative account as an e-mail account. Due to unusual write-access permissions, using such accounts to read or send e-mail can have strange negative effects on your server. As we learned last time, Cyrus administrative accounts are named according to the variable admins in /etc/imapd.conf.

Second, cyradm uses the same authentication method as does the rest of Cyrus IMAP. In my previous column, we determined this by setting /etc/imapd.conf's variable sasl_pwcheck_method to saslauthd and by editing /etc/sysconfig/saslauthd to use either LDAP or, in the case of SuSE, to use PAM. PAM itself can be configured to use LDAP for IMAP transactions in the files /etc/pam.d/imap and /etc/openldap/ldap.conf. In short, cyradm identifies and authenticates administrative users with LDAP, assuming you've correctly configured LDAP support in Cyrus IMAP, as described last time.

Finally, to authenticate, cyradm performs an LDAP auth lookup against your user name and password, using the LDAP attribute UID as the search criterion. For each user account you want to allow to run cyradm, therefore, the LDAP record needs to contain definitions for both UID and userPassword. UID is a required attribute and userPassword is an allowed attribute in the posixAccount Object Class, so all IMAP user accounts need to be associated with posixAccount.

This last point has another important ramification: in your OpenLDAP server's /etc/openldap/slapd.conf file, you need to have access control list (ACL) statements granting auth access to the userPassword attribute for whatever LDAP user your IMAP server (or its saslauthd process) uses to bind to the LDAP server (that is, to perform authentications). LDAP ACL statements are described in the slapd.conf(5) man page and in my article “Authenticate with LDAP, Part III” (LJ, September 2003).

cyradm usually is run as an administrative shell rather than as a command, per se. When you invoke cyradm, supplying your user name plus the host you wish to administer, it prompts you for a password. On successful authentication, it begins an interactive session with its own commands and help screen. cyradm also can be run non-interactively; see the cyradm(1) man page for information on using cyradm for scripting.

The simplest invocation of cyradm is:

bash-$> cyradm --user username hostname

If you're running cyradm on the same host on which Cyrus IMAP is running, you can use the hostname localhost. If the server you want to administer is a remote host, however, specify its hostname or IP address. By default, cyradm attempts to connect to it over TCP port 143. Because Cyrus IMAP uses this port for clear-text communication, use the --port option to specify TCP port 993 for TLS-encrypted communications instead, like this: --port 993. Personally, in such situations I find it simplest to connect to my remote IMAP servers with SSH and then run cyradm locally on the remote host using my SSH session.

Suppose I want to run cyradm locally on my IMAP server and my admin account is called mick_admin. The command would look like this:

bash-$ cyradm -u mick_admin localhost
IMAP Password: **********

   localhost>

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState