Kerberos ======== Dovecot supports Kerberos 5 using GSSAPI. The Kerberos authentication mechanism doesn't require having a<passdb> [PasswordDatabase.txt], but you do need a <userdb> [UserDatabase.txt] so Dovecot can lookup user-specific information, such as where their mailboxes are stored. *Note:* If you only wish to authenticate clients using their Kerberos /passphrase/ (as opposed to ticket authentication), you will probably want to use<PAM> [PasswordDatabase.PAM.txt] authentication with 'pam_krb5.so' instead. Pre-requisites -------------- This document assumes that you already have a Kerberos Realm up and functioning correctly at your site, and that each host in your realm also has a host /keytab/ installed in the appropriate location. For Dovecot, you will need to install the appropriate /service/ keys on your server. By default, Dovecot will look for these in the host's keytab file, typically '/etc/krb5.keytab', but you can specify an alternate path using the 'auth_krb5_keytab' configuration entry in dovecot.conf. If you wish to provide an IMAP service, you will need to install a service ticket of the form 'imap/hostname@REALM'. For POP3, you will need a service ticket of the form 'pop/hostname@REALM'. Example dovecot.conf configurations ----------------------------------- If you only want to use Kerberos ticket-based authentication: ---%<------------------------------------------------------------------------- auth default { mechanisms = gssapi userdb static { args = uid=vmail gid=vmail home=/var/vmail/%u } } ---%<------------------------------------------------------------------------- (In this virtual-hosting example, all mail is stored in /var/vmail/$username with uid and gid set to 'vmail') If you also want to support plaintext authentication in addition to ticket-based authentication, you will need something like: ---%<------------------------------------------------------------------------- auth default { mechanisms = plain gssapi passdb pam { } userdb passwd { } } ---%<------------------------------------------------------------------------- (Note that in this example, you will also need to configure PAM to use whichever authentication backends are appropriate for your site.) Client support -------------- Mail clients that support Kerberos GSSAPI authentication include: * Evolution * Mozilla Thunderbird * Mutt * UW Pine Testing ------- *FIXME*: This section requires cleanup. The test: * Setup mutt in /etc/Muttrc to use kerberos using gssapi and imap configuration * run kinit (type in password for kerb) * run command mutt * If you get error No Authentication Method * run command klist (list all kerberos keys) should show imap/HOSTNAME * /etc/hosts has to be set property so that kerberos can find server. (This file was created from the wiki on 2007-06-15 04:42)