PMDF System Manager's Guide
Previous Contents Index

14.2.8 Sample Security Configuration Files

Several sample security configuration files are presented, both basic examples immediately below and more sophisticated examples in the following subsections.

Note
These examples are for the legacy IMAP server.

Example 14-1 shows a security configuration file corresponding to the implicit security configuration used if no security file exists.

Example 14-1 Implicit Default Security Configuration 

[RULESET=DEFAULT] 
ENABLE=MSGSTORE/*,PASSDB/*,SYSTEM/*

Example 14-2 shows allowing anonymous IMAP access by anyone to the ftp account. It assumes a PORT_ACCESS mapping sorting IMAP connections into their own IMAP-RULES ruleset is in place, along the lines of: 


PORT_ACCESS 
 
  TCP|*|143|*|*   $YIMAP-RULES

Example 14-2 Security Configuration Allowing Anonymous IMAP Access to the ftp Account 

[RULESET=DEFAULT] 
ENABLE=MSGSTORE/*,PASSDB/*,SYSTEM/* 
! 
[AUTH_SOURCE=ANONYMOUS] 
USER=ftp 
! 
[RULESET=IMAP-RULES] 
ENABLE=MSGSTORE/CRAM-MD5,MSGSTORE/PLAIN,SYSTEM/PLAIN,ANONYMOUS/*

To set controls for any POPPASSD servers (see Section 14.6), one would define a [RULESET=POPPASSD-RULES] section and a PORT_ACCESS mapping assigning POPPASSD connections to the POPPASSD-RULES security rule set; for instance, if the only POPPASSD server listens on port 106, then the PMDF mapping file would need to include something like: 


PORT_ACCESS 
 
  TCP|*|106|*|*   $YPOPPASSD-RULES
Then a security configuration file setting specific controls for POPPASSD connections---namely restricting use of POPPASSD to PMDF MessageStore users, PMDF popstore users or to login users who store their POP password in the PMDF password database (and disabling use of POPPASSD to check the system password file)---could be as shown in Example 14-3.

Example 14-3 Security Configuration with POPPASSD Controls 

[RULESET=DEFAULT] 
ENABLE=MSGSTORE/*,PASSDB/*,SYSTEM/* 
! 
[RULESET=POPPASSD-RULES] 
ENABLE=MSGSTORE/*,PASSDB/*

14.2.8.1 Sample Security Configuration Files Using Alternate Authentication Sources

Example 14-4 shows adding a Kerberos V4 shared library.

Example 14-4 Security Configuration Using a Kerberos V4 Shared Library on UNIX 

[AUTH_SOURCE=KERBEROS] 
IMAGE=/usr/local/lib/krb4sasl.so 
FUNCTION=krb4sasl_init 
SRVTAB=/etc/srvtab 
! 
[RULESET=DEFAULT] 
ENABLE=KERBEROS/*,MSGSTORE/*,PASSDB/*,SYSTEM/*

Example 14-5 shows a security configuration file for looking up authentication verifiers in an LDAP directory. See the additional discussion of [AUTH_SOURCE=LDAP] in Section 14.2.3.

Example 14-5 Security Configuration for LDAP Authentication 

[RULESET=DEFAULT] 
ENABLE=LDAP/* 
! 
[AUTH_SOURCE=LDAP] 
SERVER=elvira.example.com 
BASEDN=o="Example Software",st=Massachusetts,c=us
If the LDAP directory does not support CRAM-MD5, or if a site is using {CRYPT} passwords on the LDAP server, then the mechanisms offered should be restricted to PLAIN, as shown in Example 14-6.

Example 14-6 Security Configuration for LDAP Authentication without CRAM-MD5 

[RULESET=DEFAULT] 
ENABLE=LDAP/PLAIN 
! 
[AUTH_SOURCE=LDAP] 
SERVER=elvira.example.com 
BASEDN=o="Example Software",st=Massachusetts,c=us

14.2.8.2 Sample Security Configuration Files for Transitioning Between Authentication Sources

The examples in this section assume that a PORT_ACCESS mapping sorting connections into their own IMAP and POP rulesets is in place, along the lines of: 


PORT_ACCESS 
 
  TCP|*|110|*|*   $YPOP 
  TCP|*|143|*|*   $YIMAP

Example 14-7 shows moving POP users from the system password file to PMDF user profile passwords (PMDF MessageStore and PMDF popstore profile passwords); hence this is the sort of security configuration a site might use when POP users are being transitioned from use of the legacy mailbox (i.e., BSD mailbox on UNIX or VMS MAIL mailbox on OpenVMS) to use of the PMDF popstore mailbox. Example 14-8 shows disallowing use of plaintext passwords; only one time use of plaintext password is allowed as the passwords are migrated to CRAM-MD5 storage. Example 14-9 similarly shows disallowing use of either plaintext or APOP, other than as a one time transitional usage, as passwords are migrated to CRAM-MD5 storage.

Example 14-7 Security Configuration when Migrating POP Users to the PMDF popstore 

[RULESET=DEFAULT] 
ENABLE=PASSDB/CRAM-MD5,PASSDB/PLAIN,SYSTEM/PLAIN 
TRANSITION_CRITERIA=CLIENT 
! 
[RULESET=IMAP] 
ENABLE=MSGSTORE/CRAM-MD5,MSGSTORE/PLAIN,PASSDB/CRAM-MD5,PASSDB/PLAIN,SYSTEM/PLAIN 
! 
[RULESET=POP] 
ENABLE=MSGSTORE/*,SYSTEM/* 
TRANSITION_CRITERIA=PLAIN 
TRANSITION_ADD=MSGSTORE/PLAIN 
TRANSITION_DISABLE=SYSTEM/PLAIN 
TRANSITION_FROM=SYSTEM 
TRANSITION_RETAIN_USERS=admin1,admin2

Example 14-8 Security Configuration Disallowing plaintext Passwords, except for Transitioning to CRAM-MD5 

[RULESET=DEFAULT] 
ENABLE=PASSDB/CRAM-MD5 
TRANSITION_CRITERIA=CLIENT 
TRANSITION_FROM=PASSDB/*,SYSTEM/* 
TRANSITION_ADD=PASSDB/CRAM-MD5 
! 
[RULESET=POP] 
ENABLE=MSGSTORE/CRAM-MD5,MSGSTORE/APOP,PASSDB/CRAM-MD5,PASSDB/APOP 
! 
[RULESET=IMAP] 
ENABLE=MSGSTORE/CRAM-MD5,PASSDB/CRAM-MD5

Example 14-9 Security Configuration Disallowing plaintext and APOP 

[RULESET=DEFAULT] 
ENABLE=PASSDB/CRAM-MD5 
TRANSITION_CRITERIA=CLIENT 
TRANSITION_ADD=PASSDB/CRAM-MD5 
TRANSITION_DELETE=PASSDB/PLAIN 
TRANSITION_FROM=PASSDB/*,SYSTEM/*,MSGSTORE/* 
! 
! Disable use of the APOP mechanism for the PMDF password database 
! 
[AUTH_SOURCE=PASSDB] 
PASS_FORMAT=CRAM-MD5 
! 
[RULESET=POP] 
ENABLE=MSGSTORE/CRAM-MD5,PASSDB/CRAM-MD5 
TRANSITION_FROM=MSGSTORE/*,PASSDB/*,SYSTEM/* 
! 
[RULESET=IMAP] 
ENABLE=MSGSTORE/CRAM-MD5,PASSDB/CRAM-MD5

Previous Next Contents Index