23.3 Configuring Authentication Mechanisms

An authentication mechanism is a particular method for a client to prove its identity to a server. Messaging Server supports authentication methods defined by the Simple Authentication and Security Layer (SASL) protocol and it supports certificate-based authentication. The SASL mechanisms are described in this section. For more information about certificate-based authentication, see 23.5 Configuring Encryption and Certificate-Based Authentication.

Messaging Server supports the following SASL authentication methods for password-based authentication.

• PLAIN - This mechanism passes the user’s plaintext password over the network, where it is susceptible to eavesdropping.

  Note that SSL can be used to alleviate the eavesdropping problem. For more information, see 23.5 Configuring Encryption and Certificate-Based Authentication

• DIGEST-MD5 - A challenge/response authentication mechanism defined in RFC 2831. (DIGEST-MD5 is not yet supported by Messaging Multiplexor.)

---

Note –

This feature is deprecated and will be removed in a future release.

---

• CRAM-MD5 - A challenge/response authentication mechanism similar to APOP, but suitable for use with other protocols as well. Defined in RFC 2195.

• APOP - A challenge/response authentication mechanism that can be used only with the POP3 protocol. Defined in RFC 1939.

• LOGIN - This is equivalent to PLAIN and exists only for compatibility with pre-standard implementations of SMTP authentication. By default the mechanism is only enabled for use by SMTP.

With a challenge/response authentication mechanism, the server sends a challenge string to the client. The client responds with a hash of that challenge and the user's password. If the client's response matches the server's own hash, the user is authenticated. The hash isn't reversible, so the user's password isn't exposed when sent over the network.

---

Note –

The POP, IMAP, and SMTP services support all SASL mechanisms. The HTTP service supports only the plaintext password mechanism.

---

Table 23–1 shows some SASL and SASL-related configutil parameters. For the latest and most complete listing of configutil parameters, see the configutil Parameters in Sun Java System Messaging Server 6.3 Administration Reference.

Table 23–1 Some SASL and SASL-related configutil Parameters

Parameter	Description
sasl.default.ldap.has_plain_passwords	Boolean to indicate that directory stores plaintext passwords which enables APOP, CRAM-MD5 and DIGEST-MD5.  Default: False
sasl.default.transition_criteria	No longer supported or used. See sasl.default.auto_transition.
sasl.default.auto_transition	Boolean. When set and a user provides a plain text password, the password storage format will be transitioned to the default password storage method for the directory server. This can be used to migrate from plaintext passwords to APOP, CRAM-MD5 or DIGEST-MD5.  Default: False
service.imap.allowanonymouslogin	This enables the SASL ANONYMOUS mechanism for use by IMAP.  Default: False
service.{imap|pop|http}.plaintextmincipher	If this is > 0, then disable use of plaintext passwords unless a security layer (SSL or TLS) is activated. This forces users to enable SSL or TLS on their client to login which prevents exposure of their passwords on the network. The MMP has an equivalent option "RestrictPlainPasswords".  NOTE: the 5.2 release of messaging server would actually check the value against the strength of the cipher negotiated by SSL or TLS. That feature has been eliminated to simplify this option and better reflect common-case usage.  Default: 0
sasl.default.mech_list	A space-separated list of SASL mechanisms to enable. If non-empty, this overrides the sasl.default.ldap.has_plain_passwords option as well as the service.imap.allowanonymouslogin option. This option applies to all protocols (imap, pop, smtp). Default: False
sasl.default.ldap.searchfilter	This is the default search filter used to look up users when one is not specified in the inetDomainSearchFilter for the domain. The syntax is the same as inetDomainSearchFilter (see schema guide). Default: (&(uid=%U)(objectclass=inetmailuser))
sasl.default.ldap.searchfordomain	By default, the authentication system looks up the domain in LDAP following the rules for domain lookup (ref. needed) then looks up the user. However, if this option is set to "0" rather than the default value of "1", then the domain lookup does not happen and a search for the user (using the sasl.default.ldap.searchfilter) occurs directly under the LDAP tree specified by local.ugldapbasedn. This is provided for compatibility with legacy single-domain schemas, but use is not recommended for new deployments as even a small company may go through a merger or name change which requires support for multiple domains.

23.3.1 To Configure Access to Plaintext Passwords

To work, the CRAM-MD5, DIGEST-MD5, or APOP SASL authentication methods require access to the users’ plaintext passwords. You need to perform the following steps:

1. Configure Directory Server to store passwords in cleartext.

2. Configure Messaging Server so that it knows Directory Server is using cleartext passwords.

To Configure Directory Server to Store Cleartext Passwords

To enable CRAM-MD5, DIGEST-MD5, or APOP mechanisms, you must configure the Directory Server to store passwords in cleartext. If you are using a Directory Server prior to version 6 the following instructions should apply. For version 6 or later, refer to the latest Directory Server documentation (Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide): :

1. In the Directory Server Console, open the Directory Server you want to configure.

2. Click the Configuration tab.

3. Open Data in the left pane.

4. Click Passwords in the right pane.

5. From the Password encryption drop-down list, choose “cleartext”.

   ---

   Note –

   This change only impacts users created in the future. Existing users will have to transition or have their password reset after this change.

   ---

23.3.1.1 To Configure Messaging Server for Cleartext Passwords

You can now configure Messaging Server so that it knows the Directory Server is able to retrieve cleartext passwords. This makes it safe for Messaging Server to advertise APOP, CRAM-MD5, and DIGEST-MD5:

configutil -o sasl.default.ldap.has_plain_passwords -v 1

You can disable these challenge/response SASL mechanisms by setting the value to 0.

---

Note –

Existing users cannot use APOP, CRAM-MD5, or DIGEST-MD5 until their password is reset or migrated (see to Transition Users).

Note that MMP has an equivalent option: CRAMs.

---

23.3.2 To Transition Users

You can use configutil to specify information about transitioning users. An example would be if a user password changes or if a client attempts to authenticate with a mechanism for which they do not have a proper entry.

configutil -o sasl.default.auto_transition -v value

For value, you can specify one of the following:

• no or 0 - Don’t transition passwords. This is the default.

• yes or 1 - Do transition passwords.

To successfully transition users, you must set up ACIs in the Directory Server that allow Messaging Server write access to the user password attribute. To do this, perform the following steps:

To Transition Users

. If you are using a Directory Server prior to version 6 the following instructions apply. For version 6 or later, refer to the latest Directory Server documentation (Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide):

1. In Console, open the Directory Server you want to configure.

2. Click the Directory tab.

3. Select the base suffix for the user/group tree.

4. From the Object menu, select Access Permissions.

5. Select (double click) the ACI for “Messaging Server End User Administrator Write Access Rights”.

6. Click ACI Attributes.

7. Add the userpassword attribute to the list of existing attributes.

8. Click OK.

   sasl.default.mech_list can be used to enable a list of SASL mechanisms. If non-empty, this overrides the sasl.default.ldap.has_plain_passwords option as well as the service.imap.allowanonymouslogin option. This option applies to all protocols (imap, pop, smtp).