Personal tools
You are here: Home Documentation & Support How Tos How to configure Webmail for WiKID Strong authentication
What people are saying
Contact Us
WiKID Systems, Inc.
1375 Peachtree St.
Suite 600
Atlanta, Ga. 30309
866-244-1876
irc.freenode.net: #wikid
 

How to configure Webmail for WiKID Strong authentication

In this document we show you how to configure an IMAP-based Webmail system to use WiKID Strong Authentication.

These instructions will help you use WiKID Strong Authentication with Squirrelmail on Linux. They also apply if you wanted to use two-factor authentication with other webmail systems or for any IMAP client. We also tested WiKID Strong Authentication with Thunderbird!

  • First I set up postfix, cyrus and sasl. I followed the instructions on this great how-to: http://nakedape.cc/info/Cyrus-IMAP-HOWTO/quickstart-fedora.html . If you need details on how to set up these three packages, go there or elsewhere. I am including the bare minimum here. 
    • yum install postfix cyrus-imapd cyrus-imapd-utils cyrus-sasl
cyrus-sasl-plain perl-Term-ReadLine-Gnu

  • Edit your /etc/sysconfig/saslauthd to support PAM:
    • # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam
  • You can test with a static password to make sure this is working:
    • # testsaslauthd -u useraname -p password
0: OK "Success."
  • Start Cyrus
    • service cyrus-imapd start
  • Then test imap authentication, again with a static password (NB: I had to use the -a parameter here, not -u)
    • $ imtest -a username localhost
  • Configure Postfix (again, see the doc above for details if you need them)
    • service postfix start
  • Now, configure PAM to use WiKID. I'm testing with Radius on the commercial server, but TACACS+ will work the same for the open source version:
    • #%PAM-1.0
auth       required     /lib/security/pam_radius_auth.so
#auth      required     pam_stack.so service=system-auth
account    required     /lib/security/pam_radius_auth.so
#account    required    pam_stack.so service=system-auth
  • For Radius, point /etc/raddb/server to the correct location too!
    • # server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
WiKID_serverFQDN    server_secret     3
  • Now you should retest the authentication at the command line:
    • # testsaslauthd -u useraname -p WiKID_OTP
    $ imtest -a username localhost
  • SquirrelMail (and probably other webmail systems) generates a new auth request for each click, so we need to set up an IMAP proxy server to manage sessions. I used imapproxy:
    • # wget ftp://fr.rpmfind.net/linux/fedora/extras/4/i386/up-imapproxy-1.2.4-4.fc4.i386.rpm
# rpm -Uvh up-imapproxy-1.2.4-4.fc4.i386.rpm
  • Edit /etc/imaproxy.conf: 
    • server_hostname www.yourhostname.com
listen_port 343
server_port 143
cache_expiration_time 300
  • Everything else was standard. Now we set up SquirrelMail:
    • #wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fprdownloads.sourceforge.net%2Fsquirrelmail%2Fsquirrelmail-1.4.5-1.noarch.rpm
rpm -uvh squirrelmail-1.4.5-1.noarch.rpm
  • Then configure Squirrelmail. I first configured it for the default Cyrus set up, then switched the listen port to 343.

    • That is it!

Start using WiKID today
Got Questions? Get Answers.