Personal tools
You are here: Home support WiKID Documentation Center Integration How-tos How to configure Webmail for WiKID Strong authentication

How to configure Webmail for WiKID Strong authentication

This How-to applies to: WiKID Strong Authentication Server Community Edition
This How-to is intended for: System Administrator, Developer-Integrator

How to configure Webmail for WiKID Strong authentication

These instructions will help you use WiKID Strong Authentication with Squirrelmail on Linux. They also apply if you wanted to use two-factor authentication with other webmail systems or for any IMAP client. We also tested WiKID Strong Authentication with Thunderbird!

  • First I set up postfix, cyrus and sasl. I followed the instructions on this great how-to: http://nakedape.cc/info/Cyrus-IMAP-HOWTO/quickstart-fedora.html . If you need details on how to set up these three packages, go there or elsewhere. I am including the bare minimum here. 
    • yum install postfix cyrus-imapd cyrus-imapd-utils cyrus-sasl
cyrus-sasl-plain perl-Term-ReadLine-Gnu

  • Edit your /etc/sysconfig/saslauthd to support PAM:
    • # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam
  • You can test with a static password to make sure this is working:
    • # testsaslauthd -u useraname -p password
0: OK "Success."
  • Start Cyrus
    • service cyrus-imapd start
  • Then test imap authentication, again with a static password (NB: I had to use the -a parameter here, not -u)
    • $ imtest -a username localhost
  • Configure Postfix (again, see the doc above for details if you need them)
    • service postfix start
  • Now, configure PAM to use WiKID. I'm testing with Radius on the commercial server, but TACACS+ will work the same for the open source version:
    • #%PAM-1.0
auth       required     /lib/security/pam_radius_auth.so
#auth      required     pam_stack.so service=system-auth
account    required     /lib/security/pam_radius_auth.so
#account    required    pam_stack.so service=system-auth
  • For Radius, point /etc/raddb/server to the correct location too!
    • # server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
WiKID_serverFQDN    server_secret     3
  • Now you should retest the authentication at the command line:
    • # testsaslauthd -u useraname -p WiKID_OTP
    $ imtest -a username localhost
  • SquirrelMail (and probably other webmail systems) generates a new auth request for each click, so we need to set up an IMAP proxy server to manage sessions. I used imapproxy:
    • # wget ftp://fr.rpmfind.net/linux/fedora/extras/4/i386/up-imapproxy-1.2.4-4.fc4.i386.rpm
# rpm -Uvh up-imapproxy-1.2.4-4.fc4.i386.rpm
  • Edit /etc/imaproxy.conf: 
    • server_hostname www.yourhostname.com
listen_port 343
server_port 143
cache_expiration_time 300
  • Everything else was standard. Now we set up SquirrelMail:
    • #wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fprdownloads.sourceforge.net%2Fsquirrelmail%2Fsquirrelmail-1.4.5-1.noarch.rpm
rpm -uvh squirrelmail-1.4.5-1.noarch.rpm
  • Then configure Squirrelmail. I first configured it for the default Cyrus set up, then switched the listen port to 343.

    • That is it!