Duo Users! Welcome! If you're just looking for information on webmail and 2FA, read on (this how-to is a bit old, sorry about that). If you want to learn more about controlling the keys to your kingdom with an on-premises two-factor authentication system, please browse the site!
These instructions will help you use WiKID Strong Authentication with Squirrelmail on Linux. They also apply if you wanted to use two-factor authentication with other webmail systems or for any IMAP client. We also tested WiKID Strong Authentication with Thunderbird!
- First I set up postfix, cyrus and sasl. I followed the instructions on this great how-to: http://nakedape.cc/info/Cyrus-IMAP-HOWTO/quickstart-fedora.html . If you need details on how to set up these three packages, go there or elsewhere. I am including the bare minimum here.
yum install postfix cyrus-imapd cyrus-imapd-utils cyrus-sasl cyrus-sasl-plain perl-Term-ReadLine-Gnu
- Edit your /etc/sysconfig/saslauthd to support PAM:
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled to use. MECH=pam
- You can test with a static password to make sure this is working:
# testsaslauthd -u useraname -p password 0: OK "Success."
- Start Cyrus
service cyrus-imapd start
- Then test imap authentication, again with a static password (NB: I had to use the -a parameter here, not -u)
$ imtest -a username localhost
- Configure Postfix (again, see the doc above for details if you need them)
service postfix start
- Now, configure PAM to use WiKID. I'm testing with Radius on the commercial server, but TACACS+ will work the same for the open source version:
#%PAM-1.0 auth required /lib/security/pam_radius_auth.so #auth required pam_stack.so service=system-auth account required /lib/security/pam_radius_auth.so #account required pam_stack.so service=system-auth
- For Radius, point /etc/raddb/server to the correct location too!
# server[:port] shared_secret timeout (s) 127.0.0.1 secret 1 WiKID_serverFQDN server_secret 3
- Now you should retest the authentication at the command line:
# testsaslauthd -u useraname -p WiKID_OTP
$ imtest -a username localhost
- SquirrelMail (and probably other webmail systems) generates a new auth request for each click, so we need to set up an IMAP proxy server to manage sessions. I used imapproxy:
# wget ftp://fr.rpmfind.net/linux/fedora/extras/4/i386/up-imapproxy-1.2.4-4.fc4.i386.rpm # rpm -Uvh up-imapproxy-1.2.4-4.fc4.i386.rpm
- Edit /etc/imaproxy.conf:
server_hostname www.yourhostname.com listen_port 343 server_port 143 cache_expiration_time 300
- Everything else was standard. Now we set up SquirrelMail:
#wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fprdownloads.sourceforge.net%2Fsquirrelmail%2Fsquirrelmail-1.4.5-1.noarch.rpm rpm -uvh squirrelmail-1.4.5-1.noarch.rpm
- Then configure Squirrelmail. I first configured it for the default Cyrus set up, then switched the listen port to 343.
That is it!