Previous | Contents | Index |
Several sample security configuration files are presented, both basic examples immediately below and more sophisticated examples in the following subsections.
These examples are for the legacy IMAP server. |
Example 14-1 shows a security configuration file corresponding to the implicit security configuration used if no security file exists.
Example 14-1 Implicit Default Security Configuration |
---|
[RULESET=DEFAULT] ENABLE=MSGSTORE/*,PASSDB/*,SYSTEM/* |
Example 14-2 shows allowing anonymous IMAP access by anyone to the ftp
account. It assumes a PORT_ACCESS mapping sorting IMAP connections into
their own IMAP-RULES ruleset is in place, along the lines of:
PORT_ACCESS TCP|*|143|*|* $YIMAP-RULES |
Example 14-2 Security Configuration Allowing
Anonymous IMAP Access to the ftp Account |
---|
[RULESET=DEFAULT] ENABLE=MSGSTORE/*,PASSDB/*,SYSTEM/* ! [AUTH_SOURCE=ANONYMOUS] USER=ftp ! [RULESET=IMAP-RULES] ENABLE=MSGSTORE/CRAM-MD5,MSGSTORE/PLAIN,SYSTEM/PLAIN,ANONYMOUS/* |
To set controls for any POPPASSD servers (see Section 14.6), one would define a [RULESET=POPPASSD-RULES] section and a PORT_ACCESS mapping assigning POPPASSD connections to the POPPASSD-RULES security rule set; for instance, if the only POPPASSD server listens on port 106, then the PMDF mapping file would need to include something like:
PORT_ACCESS TCP|*|106|*|* $YPOPPASSD-RULES |
Example 14-3 Security Configuration with POPPASSD Controls |
---|
[RULESET=DEFAULT] ENABLE=MSGSTORE/*,PASSDB/*,SYSTEM/* ! [RULESET=POPPASSD-RULES] ENABLE=MSGSTORE/*,PASSDB/* |
14.2.8.1 Sample Security Configuration Files Using Alternate Authentication Sources
Example 14-4 shows adding a Kerberos V4 shared library.
Example 14-4 Security Configuration Using a Kerberos V4 Shared Library on UNIX |
---|
[AUTH_SOURCE=KERBEROS] IMAGE=/usr/local/lib/krb4sasl.so FUNCTION=krb4sasl_init SRVTAB=/etc/srvtab ! [RULESET=DEFAULT] ENABLE=KERBEROS/*,MSGSTORE/*,PASSDB/*,SYSTEM/* |
Example 14-5 shows a security configuration file for looking up authentication verifiers in an LDAP directory. See the additional discussion of [AUTH_SOURCE=LDAP] in Section 14.2.3.
Example 14-5 Security Configuration for LDAP Authentication |
---|
[RULESET=DEFAULT] ENABLE=LDAP/* ! [AUTH_SOURCE=LDAP] SERVER=elvira.example.com BASEDN=o="Example Software",st=Massachusetts,c=us |
Example 14-6 Security Configuration for LDAP Authentication without CRAM-MD5 |
---|
[RULESET=DEFAULT] ENABLE=LDAP/PLAIN ! [AUTH_SOURCE=LDAP] SERVER=elvira.example.com BASEDN=o="Example Software",st=Massachusetts,c=us |
14.2.8.2 Sample Security Configuration Files for Transitioning Between Authentication Sources
The examples in this section assume that a PORT_ACCESS mapping sorting
connections into their own IMAP and POP rulesets is in place, along the
lines of:
PORT_ACCESS TCP|*|110|*|* $YPOP TCP|*|143|*|* $YIMAP |
Example 14-7 shows moving POP users from the system password file to PMDF user profile passwords (PMDF MessageStore and PMDF popstore profile passwords); hence this is the sort of security configuration a site might use when POP users are being transitioned from use of the legacy mailbox (i.e., BSD mailbox on UNIX or VMS MAIL mailbox on OpenVMS) to use of the PMDF popstore mailbox. Example 14-8 shows disallowing use of plaintext passwords; only one time use of plaintext password is allowed as the passwords are migrated to CRAM-MD5 storage. Example 14-9 similarly shows disallowing use of either plaintext or APOP, other than as a one time transitional usage, as passwords are migrated to CRAM-MD5 storage.
Example 14-7 Security Configuration when Migrating POP Users to the PMDF popstore |
---|
[RULESET=DEFAULT] ENABLE=PASSDB/CRAM-MD5,PASSDB/PLAIN,SYSTEM/PLAIN TRANSITION_CRITERIA=CLIENT ! [RULESET=IMAP] ENABLE=MSGSTORE/CRAM-MD5,MSGSTORE/PLAIN,PASSDB/CRAM-MD5,PASSDB/PLAIN,SYSTEM/PLAIN ! [RULESET=POP] ENABLE=MSGSTORE/*,SYSTEM/* TRANSITION_CRITERIA=PLAIN TRANSITION_ADD=MSGSTORE/PLAIN TRANSITION_DISABLE=SYSTEM/PLAIN TRANSITION_FROM=SYSTEM TRANSITION_RETAIN_USERS=admin1,admin2 |
Example 14-8 Security Configuration Disallowing plaintext Passwords, except for Transitioning to CRAM-MD5 |
---|
[RULESET=DEFAULT] ENABLE=PASSDB/CRAM-MD5 TRANSITION_CRITERIA=CLIENT TRANSITION_FROM=PASSDB/*,SYSTEM/* TRANSITION_ADD=PASSDB/CRAM-MD5 ! [RULESET=POP] ENABLE=MSGSTORE/CRAM-MD5,MSGSTORE/APOP,PASSDB/CRAM-MD5,PASSDB/APOP ! [RULESET=IMAP] ENABLE=MSGSTORE/CRAM-MD5,PASSDB/CRAM-MD5 |
Example 14-9 Security Configuration Disallowing plaintext and APOP |
---|
[RULESET=DEFAULT] ENABLE=PASSDB/CRAM-MD5 TRANSITION_CRITERIA=CLIENT TRANSITION_ADD=PASSDB/CRAM-MD5 TRANSITION_DELETE=PASSDB/PLAIN TRANSITION_FROM=PASSDB/*,SYSTEM/*,MSGSTORE/* ! ! Disable use of the APOP mechanism for the PMDF password database ! [AUTH_SOURCE=PASSDB] PASS_FORMAT=CRAM-MD5 ! [RULESET=POP] ENABLE=MSGSTORE/CRAM-MD5,PASSDB/CRAM-MD5 TRANSITION_FROM=MSGSTORE/*,PASSDB/*,SYSTEM/* ! [RULESET=IMAP] ENABLE=MSGSTORE/CRAM-MD5,PASSDB/CRAM-MD5 |
Previous | Next | Contents | Index |