Skip to main content

How to configure Webmail for WiKID Strong authentication

Duo Users!  Welcome!  If you're just looking for information on webmail and 2FA, read on (this how-to is a bit old, sorry about that).  If you want to learn more about controlling the keys to your kingdom with an on-premises two-factor authentication system, please browse the site!

These instructions will help you use WiKID Strong Authentication with Squirrelmail on Linux. They also apply if you wanted to use two-factor authentication with other webmail systems or for any IMAP client. We also tested WiKID Strong Authentication with Thunderbird!

    • First I set up postfix, cyrus and sasl. I followed the instructions on this great how-to: http://nakedape.cc/info/Cyrus-IMAP-HOWTO/quickstart-fedora.html . If you need details on how to set up these three packages, go there or elsewhere. I am including the bare minimum here.
yum install postfix cyrus-imapd cyrus-imapd-utils cyrus-sasl
cyrus-sasl-plain perl-Term-ReadLine-Gnu

    • Edit your /etc/sysconfig/saslauthd to support PAM:
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam
    • You can test with a static password to make sure this is working:
# testsaslauthd -u useraname -p password
0: OK "Success."
    • Start Cyrus
service cyrus-imapd start
    • Then test imap authentication, again with a static password (NB: I had to use the -a parameter here, not -u)
$ imtest -a username localhost
    • Configure Postfix (again, see the doc above for details if you need them)
service postfix start
#%PAM-1.0
auth       required     /lib/security/pam_radius_auth.so
#auth      required     pam_stack.so service=system-auth
account    required     /lib/security/pam_radius_auth.so
#account    required    pam_stack.so service=system-auth
    • For Radius, point /etc/raddb/server to the correct location too!
# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
WiKID_serverFQDN    server_secret     3
    • Now you should retest the authentication at the command line:
# testsaslauthd -u useraname -p WiKID_OTP
$ imtest -a username localhost
    • SquirrelMail (and probably other webmail systems) generates a new auth request for each click, so we need to set up an IMAP proxy server to manage sessions. I used imapproxy:
# wget ftp://fr.rpmfind.net/linux/fedora/extras/4/i386/up-imapproxy-1.2.4-4.fc4.i386.rpm
# rpm -Uvh up-imapproxy-1.2.4-4.fc4.i386.rpm
    • Edit /etc/imaproxy.conf:
server_hostname www.yourhostname.com
listen_port 343
server_port 143
cache_expiration_time 300
    • Everything else was standard. Now we set up SquirrelMail:
#wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fprdownloads.sourceforge.net%2Fsquirrelmail%2Fsquirrelmail-1.4.5-1.noarch.rpm
rpm -uvh squirrelmail-1.4.5-1.noarch.rpm
    • Then configure Squirrelmail. I first configured it for the default Cyrus set up, then switched the listen port to 343.

That is it!

Keywords:



 

Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication