mailutils, Programming Manual

Node:authentication, Next:configuration, Up:Programs

Authorization and authentication principles.

Some mail utilities provide access to their services only after verifying that the user is actually the person he is claiming to be. Such programs are, for example, pop3d and imap4d. The process of the verification is broken down into two stages: authorization and authentication. In authorization stage the program retrieves the information about a particular user. In authentication stage, this information is compared against the user-supplied credentials. Only if both stages succeed is the user allowed to use the service.

A set of modules is involved in performing each stage. For example, the authorization stage can retrieve the user description from various sources: system database, sql database, virtual domain table, etc. Each module is responsible for retrieving the description from a particular source of information. The modules are arranged in a module list. The modules from the list are invoked in turn, until either a one of them succeeds or the list is exhausted. In latter case the authorization fails. Otherwise the data returned by the succeeded module are used in authentication.

Similarly, authentication may be performed in several ways. The authentication modules are also grouped in a list. Each module is tried in turn until either a module succeeds, in which case the authentication succeeds, or the end of the list is reached.

We represent the module lists as column-separated lists of module names. For example, the authorization list

        system:sql:virtdomains

means that first the system user database (/etc/password) is searched for a description of a user in question. If the search fails, the sql database is searched. Finally, if it also fails, the search is performed in the virtual domain database.

Note, that some authentication and/or authorization modules may be disabled when configuring the package before compilation. The names of the disabled modules are nevertheless available for use in runtime configuration options, but they represent a "fail-only" functionality, e.g. if the package was compiled without sql support then the module sql in the above example will always fail, thus passing the execution on to the next module.

The modules available for use in authorization list are:

system: User credentials are retrieved from the system user database (/etc/password).
sql: User credentials are retrieved from the sql database. The set of --sql- options (see auth) is used to configure access to the database.
virtdomain: User credentials are retrieved from a "virtual domain" user database.

The modules available for use in authentication list are:

generic: The generic authentication type. User password is hashed and compared against the hash value returned in authorization stage.
system: The hashed value of the user password is retrieved from /etc/shadow file on systems that support it.
sql: The hashed value of the user password is retrieved from the sql database using query supplied by --sql-getpass option (see auth).
pam: The user is authenticated via pluggable authentication module (pam). The pam service name to be used is configured via --pam-service option (see auth)

Unless overridden by --authentication command line option, the list of authentication modules is:

        generic:system:pam:sql

Unless overridden by --authorization command line option, the list of authorization modules is:

        system:sql:virtdomains