<!DOCTYPE html PUBLIC "XSLT-compat"> <html lang="en-GB"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <link rel="stylesheet" type="text/css" href="../../../../common.css"> <meta name="author" content="The Exim Project. <http://www.exim.org/>"> <meta name="copyright" content="Copyright ©2010 The Exim Project. All rights reserved"> <meta name="description" content="Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet."> <meta name="keywords" content="exim,smtp,mta,email"> <meta name="robots" content="noodp,noydir,index,follow"> <meta name="viewport" content="width=device-width"> <title>36. The cyrus_sasl authenticator</title> <link rel="stylesheet" type="text/css" href="../../../../doc/chapter.css"> <link rel="canonical" href="http://www.exim.org/exim-html-current/doc/html/spec_html/ch36.html"> </head> <body> <h1 id="header"><a href="../../../..">Exim Internet Mailer</a></h1> <div id="outer"> <ul id="nav_flow" class="nav"> <li><a href="../../../../index.html">Home</a></li> <li><a href="../../../../mirrors.html">Download</a></li> <li><a href="../../../../docs.html">Documentation</a></li> <li><a href="../../../../maillist.html">Mailing Lists</a></li> <li><a href="http://wiki.exim.org/">Wiki</a></li> <li><a href="http://www.exim.org/bugzilla/">Bugs</a></li> <li><a href="../../../../credits.html">Credits</a></li> <li class="search"><form action="http://www.google.com/search" method="get"> <span class="search_field_container"><input type="search" name="q" placeholder="Search Docs" class="search_field"></span><input type="hidden" name="hl" value="en"><input type="hidden" name="ie" value="UTF-8"><input type="hidden" name="as_qdr" value="all"><input type="hidden" name="q" value="site:www.exim.org"><input type="hidden" name="q" value="inurl:exim-html-current"> </form></li> </ul> <div id="inner"><div id="content"> <a class="previous_page" href="ch35.html"><-previous</a><a class="next_page" href="ch37.html">next-></a><div id="chapter" class="chapter"> <h2 id="CHID10" class="">Chapter 36 - The cyrus_sasl authenticator</h2> <p> The code for this authenticator was provided by Matthew Byng-Maddick of A L Digital Ltd (<span class="docbook_emphasis"><a href="http://www.aldigital.co.uk">http://www.aldigital.co.uk</a></span>). </p> <p> The <span class="docbook_command">cyrus_sasl</span> authenticator provides server support for the Cyrus SASL library implementation of the RFC 2222 (“Simple Authentication and Security Layer”). This library supports a number of authentication mechanisms, including PLAIN and LOGIN, but also several others that Exim does not support directly. In particular, there is support for Kerberos authentication. </p> <p> The <span class="docbook_command">cyrus_sasl</span> authenticator provides a gatewaying mechanism directly to the Cyrus interface, so if your Cyrus library can do, for example, CRAM-MD5, then so can the <span class="docbook_command">cyrus_sasl</span> authenticator. By default it uses the public name of the driver to determine which mechanism to support. </p> <p> Where access to some kind of secret file is required, for example in GSSAPI or CRAM-MD5, it is worth noting that the authenticator runs as the Exim user, and that the Cyrus SASL library has no way of escalating privileges by default. You may also find you need to set environment variables, depending on the driver you are using. </p> <p> The application name provided by Exim is “exim”, so various SASL options may be set in <span class="docbook_filename">exim.conf</span> in your SASL directory. If you are using GSSAPI for Kerberos, note that because of limitations in the GSSAPI interface, changing the server keytab might need to be communicated down to the Kerberos layer independently. The mechanism for doing so is dependent upon the Kerberos implementation. For example, for Heimdal, the environment variable KRB5_KTNAME may be set to point to an alternative keytab file. Exim will pass this variable through from its own inherited environment when started as root or the Exim user. The keytab file needs to be readable by the Exim user. </p> <div class="section"> <h3 id="SECID178" class="">1. Using cyrus_sasl as a server</h3> <p> The <span class="docbook_command">cyrus_sasl</span> authenticator has four private options. It puts the username (on a successful authentication) into $auth1. For compatibility with previous releases of Exim, the username is also placed in $1. However, the use of this variable for this purpose is now deprecated, as it can lead to confusion in string expansions that also use numeric variables for other things. </p> <p> </p> <table> <tr> <td><span class="docbook_option">server_hostname</span></td> <td>Use: <span class="docbook_emphasis">cyrus_sasl</span> </td> <td>Type: <span class="docbook_emphasis">string</span>†<span class="docbook_emphasis"></span> </td> <td>Default: <span class="docbook_emphasis">see below</span> </td> </tr> </table> <p> This option selects the hostname that is used when communicating with the library. The default value is <code class="docbook_literal">$primary_hostname</code>. It is up to the underlying SASL plug-in what it does with this data. </p> <p> </p> <table> <tr> <td><span class="docbook_option">server_mech</span></td> <td>Use: <span class="docbook_emphasis">cyrus_sasl</span> </td> <td>Type: <span class="docbook_emphasis">string</span> </td> <td>Default: <span class="docbook_emphasis">see below</span> </td> </tr> </table> <p> This option selects the authentication mechanism this driver should use. The default is the value of the generic <span class="docbook_option">public_name</span> option. This option allows you to use a different underlying mechanism from the advertised name. For example: </p> <div class="docbook_literallayout"><pre> sasl: driver = cyrus_sasl public_name = X-ANYTHING server_mech = CRAM-MD5 server_set_id = $auth1 </pre></div> <p> </p> <table> <tr> <td><span class="docbook_option">server_realm</span></td> <td>Use: <span class="docbook_emphasis">cyrus_sasl</span> </td> <td>Type: <span class="docbook_emphasis">string</span> </td> <td>Default: <span class="docbook_emphasis">unset</span> </td> </tr> </table> <p> This specifies the SASL realm that the server claims to be in. </p> <p> </p> <table> <tr> <td><span class="docbook_option">server_service</span></td> <td>Use: <span class="docbook_emphasis">cyrus_sasl</span> </td> <td>Type: <span class="docbook_emphasis">string</span> </td> <td>Default: <span class="docbook_emphasis"><code class="docbook_literal">smtp</code></span> </td> </tr> </table> <p> This is the SASL service that the server claims to implement. </p> <p> For straightforward cases, you do not need to set any of the authenticator’s private options. All you need to do is to specify an appropriate mechanism as the public name. Thus, if you have a SASL library that supports CRAM-MD5 and PLAIN, you could have two authenticators as follows: </p> <div class="docbook_literallayout"><pre> sasl_cram_md5: driver = cyrus_sasl public_name = CRAM-MD5 server_set_id = $auth1 sasl_plain: driver = cyrus_sasl public_name = PLAIN server_set_id = $auth2 </pre></div> <p> Cyrus SASL does implement the LOGIN authentication method, even though it is not a standard method. It is disabled by default in the source distribution, but it is present in many binary distributions. </p> </div> </div> <a class="previous_page" href="ch35.html"><-previous</a><a class="next_page" href="ch37.html">next-></a> </div></div> <iframe id="branding" name="branding" src="../../../../branding/branding.html" height="0" frameborder="no" scrolling="no"></iframe><div id="footer">Website design by <a href="https://secure.grepular.com/">Mike Cardwell</a>, of <a href="http://cardwellit.com/">Cardwell IT Ltd.</a> </div> <div class="left_bar"></div> <div class="right_bar"></div> <div id="toc"> <ul class="hidden"></ul> <img src="../../../../doc/contents.png" width="16" height="155"> </div> </div> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"></script><script type="text/javascript" src="../../../../common.js"></script><script type="text/javascript" src="../../../../doc/chapter.js"></script> </body> </html>
