"SfR Fresh" - the SfR Freeware/Shareware Archive 
Member "dovecot-1.0.15/doc/wiki/Authentication.Kerberos.txt" of archive dovecot-1.0.15.tar.gz:
As a special service "SfR Fresh" has tried to format the requested source page into HTML format using source code syntax highlighting with prefixed line numbers.
Alternatively you can here view or download the uninterpreted source code file.
That can be also achieved for any archive member file by clicking within an archive contents listing on the first character of the file(path) respectively on the according byte size field.
1
2
3 Kerberos
4 ========
5
6
7 Dovecot supports Kerberos 5 using GSSAPI. The Kerberos authentication mechanism doesn't require having a >>passdb<<, but you do need a >>userdb<< so Dovecot can lookup user-specific information, such as where their mailboxes are stored.
8 *Note:* If you only wish to authenticate clients using their Kerberos /passphrase/ (as opposed to ticket authentication), you will probably want to use >>PAM<< authentication with 'pam_krb5.so' instead.
9
10
11 Pre-requisites
12 ==============
13
14
15 This document assumes that you already have a Kerberos Realm up and functioning correctly at your site, and that each host in your realm also has a host /keytab/ installed in the appropriate location.
16 For Dovecot, you will need to install the appropriate /service/ keys on your server. By default, Dovecot will look for these in the host's keytab file, typically '/etc/krb5.keytab', but you can specify an alternate path using the 'auth_krb5_keytab' configuration entry in dovecot.conf. If you wish to provide an IMAP service, you will need to install a service ticket of the form 'imap/hostname@REALM'. For POP3, you will need a service ticket of the form 'pop/hostname@REALM'. When using Dovecot's >>SASL<< with MTA, you will need to install service ticket of the form 'smtp/hostname@REALM'.
17
18
19 Example dovecot.conf configurations
20 ===================================
21
22
23 If you only want to use Kerberos ticket-based authentication:
24
25 ---%<-------------------------------------------------------------------------
26 auth default {
27 mechanisms = gssapi
28 userdb static {
29 args = uid=vmail gid=vmail home=/var/vmail/%u
30 }
31 }
32 ---%<-------------------------------------------------------------------------
33
34 (In this virtual-hosting example, all mail is stored in /var/vmail/$username with uid and gid set to 'vmail')
35 If you also want to support plaintext authentication in addition to ticket-based authentication, you will need something like:
36
37 ---%<-------------------------------------------------------------------------
38 auth default {
39 mechanisms = plain gssapi
40 passdb pam {
41 }
42 userdb passwd {
43 }
44 }
45 ---%<-------------------------------------------------------------------------
46
47 (Note that in this example, you will also need to configure PAM to use whichever authentication backends are appropriate for your site.)
48
49
50 Client support
51 ==============
52
53
54 Mail clients that support Kerberos GSSAPI authentication include:
55
56 * Evolution
57 * Mozilla Thunderbird
58 * >>SeaMonkey<<
59 * Mutt
60 * UW Pine
61
62
63 Testing
64 =======
65
66
67 *FIXME*: This section requires cleanup.
68 The test:
69
70 * Setup mutt in /etc/Muttrc to use kerberos using gssapi and imap configuration
71
72 * this is done with 'set imap_authenticators="gssapi"'
73
74 * run kinit (type in password for kerb)
75 * run command mutt
76 * If you get error No Authentication Method
77
78 * run command klist (list all kerberos keys) should show imap/HOSTNAME
79
80 * /etc/hosts has to be set properly so that kerberos can find server.
81
82 (This file was created from the wiki on 2007-12-11 04:42)