An authentication mechanism is a particular method for a client to prove its identity to a server. Messaging Server supports authentication methods defined by the Simple Authentication and Security Layer (SASL) protocol and it supports certificate-based authentication. The SASL mechanisms are described in this section. For more information about certificate-based authentication, see Configuring Encryption and Certificate-Based Authentication.
Messaging Server supports the following SASL authentication methods for password-based authentication.
PLAIN - This mechanism passes the user’s plaintext password over the network, where it is susceptible to eavesdropping.
Note that SSL can be used to alleviate the eavesdropping problem. For more information, see Configuring Encryption and Certificate-Based Authentication
DIGEST-MD5 - A challenge/response authentication mechanism defined in RFC 2831. (DIGEST-MD5 is not yet supported by Messaging Multiplexor.)
This feature is deprecated and will be removed in a future release.
CRAM-MD5 - A challenge/response authentication mechanism similar to APOP, but suitable for use with other protocols as well. Defined in RFC 2195.
APOP - A challenge/response authentication mechanism that can be used only with the POP3 protocol. Defined in RFC 1939.
LOGIN - This is equivalent to PLAIN and exists only for compatibility with pre-standard implementations of SMTP authentication. By default the mechanism is only enabled for use by SMTP.
With a challenge/response authentication mechanism, the server sends a challenge string to the client. The client responds with a hash of that challenge and the user's password. If the client's response matches the server's own hash, the user is authenticated. The hash isn't reversible, so the user's password isn't exposed when sent over the network.
The POP, IMAP, and SMTP services support all SASL mechanisms. The HTTP service supports only the plaintext password mechanism.
Table 19–1 shows some SASL and SASL-related configutil parameters. For the latest and most complete listing of configutil parameters, see the configutil Parameters in Sun Java System Messaging Server 6 2005Q4 Administration Reference.
Table 19–1 Some SASL and SASL-related configutil Parameters
Parameter |
Description |
---|---|
Boolean to indicate that directory stores plaintext passwords which enables APOP, CRAM-MD5 and DIGEST-MD5. Default: False |
|
No longer supported or used. See sasl.default.auto_transition. |
|
Boolean. When set and a user provides a plain text password, the password storage format will be transitioned to the default password storage method for the directory server. This can be used to migrate from plaintext passwords to APOP, CRAM-MD5 or DIGEST-MD5. Default: False |
|
This enables the SASL ANONYMOUS mechanism for use by IMAP. Default: False |
|
If this is > 0, then disable use of plaintext passwords unless a security layer (SSL or TLS) is activated. This forces users to enable SSL or TLS on their client to login which prevents exposure of their passwords on the network. The MMP has an equivalent option "RestrictPlainPasswords". NOTE: the 5.2 release of messaging server would actually check the value against the strength of the cipher negotiated by SSL or TLS. That feature has been eliminated to simplify this option and better reflect common-case usage. Default: 0 |
|
A space-separated list of SASL mechanisms to enable. If non-empty, this overrides the sasl.default.ldap.has_plain_passwords option as well as the service.imap.allowanonymouslogin option. This option applies to all protocols (imap, pop, smtp). Default: False |
|
This is the default search filter used to look up users when one is not specified in the inetDomainSearchFilter for the domain. The syntax is the same as inetDomainSearchFilter (see schema guide). Default: (&(uid=%U)(objectclass=inetmailuser)) |
|
By default, the authentication system looks up the domain in LDAP following the rules for domain lookup (ref. needed) then looks up the user. However, if this option is set to "0" rather than the default value of "1", then the domain lookup does not happen and a search for the user (using the sasl.default.ldap.searchfilter) occurs directly under the LDAP tree specified by local.ugldapbasedn. This is provided for compatibility with legacy single-domain schemas, but use is not recommended for new deployments as even a small company may go through a merger or name change which requires support for multiple domains. |
To work, the CRAM-MD5, DIGEST-MD5, or APOP SASL authentication methods require access to the users’ plaintext passwords. You need to perform the following steps:
Configure Directory Server to store passwords in cleartext.
Configure Messaging Server so that it knows Directory Server is using cleartext passwords.
To enable CRAM-MD5, DIGEST-MD5, or APOP mechanisms, you must configure the Directory Server to store passwords in cleartext as follows:
In Console, open the Directory Server you want to configure.
Click the Configuration tab.
Open Data in the left pane.
Click Passwords in the right pane.
From the Password encryption drop-down list, choose “cleartext”.
This change only impacts users created in the future. Existing users will have to transition or have their password reset after this change.
You can now configure Messaging Server so that it knows the Directory Server is able to retrieve cleartext passwords. This makes it safe for Messaging Server to advertise APOP, CRAM-MD5, and DIGEST-MD5:
configutil -o sasl.default.ldap.has_plain_passwords -v 1
You can disable these challenge/response SASL mechanisms by setting the value to 0.
Existing users cannot use APOP, CRAM-MD5, or DIGEST-MD5 until their password is reset or migrated (see to Transition Users).
Note that MMP has an equivalent option: CRAMs.
You can use configutil to specify information about transitioning users. An example would be if a user password changes or if a client attempts to authenticate with a mechanism for which they do not have a proper entry.
configutil -o sasl.default.auto_transition -v value
For value, you can specify one of the following:
no or 0 - Don’t transition passwords. This is the default.
yes or 1 - Do transition passwords.
To successfully transition users, you must set up ACIs in the Directory Server that allow Messaging Server write access to the user password attribute. To do this, perform the following steps:
In Console, open the Directory Server you want to configure.
Click the Directory tab.
Select the base suffix for the user/group tree.
From the Object menu, select Access Permissions.
Select (double click) the ACI for “Messaging Server End User Administrator Write Access Rights”.
Click ACI Attributes.
Add the userpassword attribute to the list of existing attributes.
Click OK.
sasl.default.mech_list can be used to enable a list of SASL mechanisms. If non-empty, this overrides the sasl.default.ldap.has_plain_passwords option as well as the service.imap.allowanonymouslogin option. This option applies to all protocols (imap, pop, smtp).