Tuesday, February 15, 2011

Dovecot with Kerberos Authentication

Dovecot authentication/authorization consists of two important parts: passdb and userdb; passdb is used to confirm user credentials are valid for access, while userdb determines how authenticated user is mapped to uid/gid (this is necessary since mail box is on file system).

In this post we take a look at Dovecot configuration when Kerberos is used for passdb role. We also take a look at few possibilities for userdb implementation.

Before we proceed with setup (let assume our client machine name is mail1.dev.local) you need to setup the following:
  • Kerberos Client (look here).
Once the basic installation of the above is complete, here we go: Add imap service principal:
kadmin -p admin -q "addprinc -randkey imap/mail1.dev.local"

kadmin -p admin -q "ktadd imap/mail1.dev.local"

Dovecot V1.x Configuration

  1. Configure dovecot to use gssapi for authentication (file /etc/dovecot/dovecot.conf):
    auth default {
      #mechanisms = plain
      mechanisms = gssapi
    }
    
  2. If you want permit users to authenticate to dovecot using password (vs using transparent kerberos authentication via gssapi) than plain authentication mechanism must remain.
  3. Restart dovecot:
    /etc/init.d/dovecot restart
    

Dovecot V2.0 Configuration

  1. Install dovecot gssapi package:
    apt-get install dovecot-gssapi
    
  2. Group dovecot need to have read permission on kerberos keytab file (/etc/krb5.keytab).
    chgrp dovecot /etc/krb5.keytab
    chmod g+r /etc/krb5.keytab
    
  3. Ensure the following settings in authentication configuration (file /etc/dovecot/conf.d/10-auth.conf):
    # FQDN for the mail server
    auth_gssapi_hostname = mail1.dev.local
    
    # Locaction of keytab file
    auth_krb5_keytab = /etc/krb5.keytab
    
    auth_mechanisms = gssapi
    
  4. Restart dovecot:
    /etc/init.d/dovecot restart
    

Virtual Hosting

While all users are authenticated against Kerberos, we can map mailbox access to a single local user/group, e.g. vmail. This scenario is implemented by dovecot userdb static configuration option.
# 1. User is created with home directory set 
# to /var/mail.
# 2. User added to group vmail.
# 3. Do not gcreate a home directory.
# 4. User has no shell, ssh login impossible.
groupadd vmail
useradd -d /var/mail -G vmail -M -s /bin/false vmail
Changes to dovecot configuration below:
auth default {
  mechanisms = gssapi
  userdb static {
    args = uid=vmail gid=vmail home=/var/mail/%u
  }
}
When you create a new mailbox vmail user must be an owner. Let create a mailbox for user1:
mkdir /var/mail/user1
chown vmail /var/mail/user1
On successful user1 authentication dovecote will populate all necessary files for mailbox.

Open LDAP

You can use Kerberos authentication together with LDAP authorization. In this case LDAP database will serve userdb purpose. You have to setup OpenLDAP client with Kerberos (see here). Ensure the following settings in dovecot configuration:
auth default {
  mechanisms = plain gssapi
  passdb pam {
  }
  userdb passwd {
  }
}
This approach uses PAM. When you create a mailbox for user ensure user account (uid defined LDAP) is an owner for mailbox.

No comments :

Post a Comment