Skip to content

John McEleney / mailutils

Go to a project
Toggle navigation
Toggle navigation pinning
Commit 4c9d4ab8 4c9d4ab89f11e0fe8732314f78b203c80dd11609 by Sergey Poznyakoff
Options

Documented authentication concepts and related command line options.

1 parent 8cf444cb
Inline Side-by-side
Showing 1 changed file with 164 additions and 14 deletions
...@@ -6,6 +6,7 @@ ...@@ -6,6 +6,7 @@
6 GNU Mailutils provides a set of programs for handling the email. 6 GNU Mailutils provides a set of programs for handling the email.
7 7
8 @menu 8 @menu
9 * authentication:: Authorization and authentication principles.
9 * configuration:: Common configuration file. 10 * configuration:: Common configuration file.
10 * imap4d:: IMAP4 daemon. 11 * imap4d:: IMAP4 daemon.
11 * pop3d:: POP3 daemon. 12 * pop3d:: POP3 daemon.
...@@ -20,6 +21,107 @@ GNU Mailutils provides a set of programs for handling the email. ...@@ -20,6 +21,107 @@ GNU Mailutils provides a set of programs for handling the email.
20 @end menu 21 @end menu
21 22
22 @page 23 @page
24 @node authentication
25 @section Authorization and authentication principles.
26 @cindex authorization
27 @cindex authentication
28
29 Some mail utilities provide access to their services only after
30 verifying that the user is actually the person he is claiming
31 to be. Such programs are, for example, @command{pop3d} and
32 @command{imap4d}. The process of the verification is broken
33 down into two stages: @dfn{authorization} and @dfn{authentication}.
34 In @dfn{authorization} stage the program retrieves the information
35 about a particular user. In @dfn{authentication} stage, this information
36 is compared against the user-supplied credentials. Only if both stages
37 succeed is the user allowed to use the service.
38
39 A set of @dfn{modules} is involved in performing each stage. For
40 example, the authorization stage can retrieve the user description
41 from various sources: system database, sql database, virtual domain
42 table, etc. Each module is responsible for retrieving the description
43 from a particular source of information. The modules are arranged in
44 a @dfn{module list}. The modules from the list are invoked in turn, until
45 either a one of them succeeds or the list is exhausted. In latter case
46 the authorization fails. Otherwise the data returned by the succeeded
47 module are used in authentication.
48
49 Similarly, authentication may be performed in several ways. The
50 authentication modules are also grouped in a list. Each module
51 is tried in turn until either a module succeeds, in which case the
52 authentication succeeds, or the end of the list is reached.
53
54 We represent the module lists as column-separated lists of module
55 names. For example, the authorization list
56
57 @example
58 system:sql:virtdomains
59 @end example
60
61 @noindent
62 means that first the system user database (@file{/etc/password}) is
63 searched for a description of a user in question. If the search fails,
64 the @acronym{sql} database is searched. Finally, if it also fails, the
65 search is performed in the virtual domain database.
66
67 @emph{Note}, that some authentication and/or authorization modules may
68 be disabled when configuring the package before compilation. The names
69 of the disabled modules are nevertheless available for use in runtime
70 configuration options, but they represent a ``fail-only'' functionality,
71 e.g. if the package was compiled without @acronym{sql} support then the
72 module @samp{sql} in the above example will always fail, thus passing
73 the execution on to the next module.
74
75 The modules available for use in authorization list are:
76
77 @table @asis
78 @item system
79 User credentials are retrieved from the system user database
80 (@file{/etc/password}).
81 @item sql
82 User credentials are retrieved from the @acronym{sql} database. The set
83 of @option{--sql-} options (@pxref{auth}) is used to configure
84 access to the database.
85 @item virtdomain
86 User credentials are retrieved from a ``virtual domain'' user
87 database.
88 @end table
89
90 The modules available for use in authentication list are:
91
92 @table @asis
93 @item generic
94 The generic authentication type. User password is hashed and compared
95 against the hash value returned in authorization stage.
96 @item system
97 The hashed value of the user password is retrieved from
98 @file{/etc/shadow} file on systems that support it.
99 @item sql
100 The hashed value of the user password is retrieved from the @acronym{sql}
101 database using query supplied by @option{--sql-getpass} option
102 (@pxref{auth}).
103 @item pam
104 The user is authenticated via pluggable authentication module
105 (@acronym{pam}). The @acronym{pam} service name to be used is
106 configured via @option{--pam-service} option (@pxref{auth})
107 @end table
108
109 Unless overridden by @option{--authentication} command line option,
110 the list of authentication modules is:
111
112 @example
113 generic:system:pam:sql
114 @end example
115
116 @noindent
117 Unless overridden by @option{--authorization} command line option,
118 the list of authorization modules is:
119
120 @example
121 system:sql:virtdomains
122 @end example
123
124 @page
23 @node configuration 125 @node configuration
24 @section Mailutils configuration file 126 @section Mailutils configuration file
25 @cindex Mailutils configuration file 127 @cindex Mailutils configuration file
...@@ -193,30 +295,78 @@ of seconds. ...@@ -193,30 +295,78 @@ of seconds.
193 @subsection auth --- Authentication-specific options. 295 @subsection auth --- Authentication-specific options.
194 @cindex :auth 296 @cindex :auth
195 297
298 These options control the authorization and authentication module
299 lists. For a description of auhtentication concepts, refer to
300 @xref{authentication}.
301
196 @table @option 302 @table @option
303 @item --authorization @var{modlist}
304
305 This option allows to set up a list of modules to be used for
306 authorization. @var{modlist} is a colon-separated list of
307 modules. Valid modules are:
308
309 @table @asis
310 @item system
311 User credentials are retrieved from the system user database
312 (@file{/etc/password}).
313 @item sql
314 User credentials are retrieved from the @acronym{sql} database. The set
315 of @option{--sql-} options (see below) is used to configure
316 access to the database.
317 @item virtdomain
318 User credentials are retrieved from a ``virtual domain'' user
319 database.
320 @end table
321
322 @item --authentication @var{modlist}
323
324 This option allows to set up a list of modules to be used for
325 authentication. @var{modlist} is a colon-separated list of
326 modules. Valid modules are:
327
328 @table @asis
329 @item generic
330 The generic authentication type. User password is hashed and compared
331 against the hash value returned in authorization stage.
332 @item system
333 The hashed value of the user password is retrieved from
334 @file{/etc/shadow} file on systems that support it.
335 @item sql
336 The hashed value of the user password is retrieved from the @acronym{sql}
337 database using query supplied by @option{--sql-getpass} option
338 (see below).
339 @item pam
340 The user is authenicated via pluggable authentication module
341 (@acronym{pam}). The @acronym{pam} service name to be used is
342 configured via @option{--pam-service} option (see below)
343 @end table
344
197 @item --pam-service @var{name} 345 @item --pam-service @var{name}
198 When compiled with @acronym{pam} support, this option specifies the 346 When compiled with @acronym{pam} support, this option specifies the
199 name of @acronym{pam} service to be used when authenticating. 347 name of @acronym{pam} service to be used when authenticating.
200 @end table 348 @end table
201 349
202 The following options exist in this group if the package was configured 350 The following options exist in this group if the package was configured
203 with @samp{--enable-sql} option: 351 with @option{--enable-sql} option. They take effect only if the
352 @samp{sql} module is used in authentication and/or authorization.
353 Currently only MySQL is supported.
204 354
205 @table @option 355 @table @option
206 @item sql-getpwnam @var{query} 356 @item --sql-getpwnam @var{query}
207 SQL query to retrieve a passwd entry based on username 357 @acronym{sql} query to retrieve a passwd entry based on username
208 @item sql-getpwuid @var{query} 358 @item --sql-getpwuid @var{query}
209 @item sql-getpass @var{query} 359 @item --sql-getpass @var{query}
210 SQL query to retrieve a password from the database 360 @acronym{sql} query to retrieve a password from the database
211 @item sql-host @var{name} 361 @item --sql-host @var{name}
212 Name or IP of MySQL server to connect to. 362 Name or IP of MySQL server to connect to.
213 @item sql-user @var{name} 363 @item --sql-user @var{name}
214 SQL user name 364 @acronym{sql} user name
215 @item sql-passwd @var{string} 365 @item --sql-passwd @var{string}
216 SQL connection password 366 @acronym{sql} connection password
217 @item sql-db @var{string} 367 @item --sql-db @var{string}
218 Name of the database to connect to. 368 Name of the database to connect to.
219 @item sql-port @var{number} 369 @item --sql-port @var{number}
220 Port to use 370 Port to use
221 @end table 371 @end table
222 372
...@@ -246,7 +396,7 @@ facility @samp{local1}. ...@@ -246,7 +396,7 @@ facility @samp{local1}.
246 @example 396 @example
247 @group 397 @group
248 :mailbox --mail-spool /var/spool/mail 398 :mailbox --mail-spool /var/spool/mail
249 :auth --pam-service mailutils 399 :auth --authentication pam --pam-service mailutils
250 :logging --log-facility mail 400 :logging --log-facility mail
251 imap4d --daemon=20 --timeout=1800 --log-facility local1 401 imap4d --daemon=20 --timeout=1800 --log-facility local1
252 @end group 402 @end group
......