pam_imap authentication module

SourceForge.net Logo


[ Home ] [ Project Page ] [ README ] [ Mailing List ] [ CVS Access ] [ DOWNLOAD ]

Support a poor college student!
"Will code for food... or beer."

This is a PAM module that authenticates a user login against a remote IMAP or IMAPS server.  The module supports a server rollover, so a list of servers can be successively queried if the previous server is down. With a bit of PAM configuration hacking, it will also work with other modules to allow logins to be authenticated locally and / or remotely with IMAP on the same system. 

pam-imap features:

-- User BlockList:  Allows pam-imap to ignore authenticating users such as 'root', 'apache', and others.

-- Password caching:  Possibly usefull in situations where network connections are slow, or server loads are high.  Has a few security risks however.  Checkout the README file for more info.

-- Support for username@domain.com style logins. With Micro$oft style IMAP servers, the "@domain.com" can be appended to the UNIX username for easy compatability.

-- Customizable "Password: " string...  You could change it to anything!  Maybe, "IMAP Password: "  The possibilities are endless.

Examples of recommended use:

1) A lab of UNIX/Linux machines that would require an easily accessible password database from an IMAP server

2) Authenticating users against a centralized password server that you have no control over, and it conveniently has an IMAP server. (The arms-tied-behind-your-back scenario)

3) Authenticating with applications that do not run as root.  (Apache is a good example -- read user-testimonials below)

4) An IMAP cluster authentication relay -- pam-imap can be used for a cheap IMAP cluster solution. Have one or two master IMAP servers that have a username/password database (be it LDAP, shadow, etc) and an IMAP server. Have several cluster node servers to handle the bandwidth of client requests , and use pam-imap on each node to authenticate against the master server(s). (The node machines will use pam-imap in their 'imap' service file)
Tie everything together with round-robin DNS and NFS mail folders, and you have yourself an IMAP cluster!

5)  ???  (Help me brainstorm some more here)


Here are some comments posted to the pam-imap mailing list:

"In order to set up dspam's CGI [in Apache], I needed a way to authenticate users
with HTTP auth.  I do not want to run the web server as root.  pam-imap
made it a snap to solve this problem." -- Neale Pickett

For Apache to authenticate with PAM, (more specifically, pam_unix.so) it needs read access to the /etc/shadow file, which is a horrible security hole.  With pam-imap, one can run an IMAP server locally, and authenticate Apache with pam-imap locally.  Although this is still a bit of a hack, it adds a layer of obscurity from requiring root access.  imapd must be run as root, but it can easily be firewalled.


"I work for a big University (60k pupils), in Seville, Spain. We only have a public MX.
All mail that gets in or out of the university goes through [the MX]. We use pam-imap
to authenticate smtp-auth with checkpassword-pam & qmail. We have implemented
pam-imap with perdition mail retrieval proxy for a "poor's man ldap".
We can authenticate 50,000 users using [50] different imap(s) servers.

Thank you for developing pam_imap !!! :-) "
    -- Javier de Miguel Rodríguez

Read recommended use #4 for a brief description of this setup. If you would like to know more about this implementation, search the mailing list or join the list to ask questions!



This project is mainly the result of a project for Minnesota State University-Moorhead's Computer Science Dept.

Questions, comments, and any help:   Please join the mailing list or just shoot an email to     pam-imap-help@lists.sourceforge.net

This project is licensed GPL

Project Admin:   Cal Heldenbrand


visitor number: [an error occurred while processing this directive]

A side project pam module is pam_pgina, which authenticates against the pgina_pam server
Download pam_pgina here