PAM module for authentication via MAPI against a Kopano or Zarafa server
pam_mapi is a module for PAM (Pluggable Authentication Modules). PAM is a library that provides an interface for authentication services for Linux/Unix systems and therefore allows to connect various system services with one central authentication database. Administrators can ensure for example, that all services are using a centrally stored password - and finally prevent separate password databases. The PAM module "pam_mapi" takes care of the authentication with a Kopano or Zarafa server as a password database.
Applications such as Kopano WebApp, Kopano DeskApp, Zarafa WebAccess, the Zarafa WebApp or Microsoft Outlook (with the Zarafa Windows Client) connect directly via MAPI to SOAP to Kopano Core or the Zarafa Collaboration Platform and also handle the authentication via that protocol when sending e-mails. If Kopano or Zarafa is configured to use the database plugin, all user information are stored in a MySQL database. Once IMAP/POP3 is used via the Kopano or Zarafa Gateway, often SMTP gets involved for outbound e-mails, too. Usually this requires SMTP authentication (also called "SMTP auth") in order to avoid socalled open relays but the user information in the MariaDB or MySQL database is unfortunately not accessible for established SASL daemons.
Although the password is generally hashed with MD5, is also salted with a non-standard method. That surely improves security, but Cyrus SASL for example expects a plaintext password expected in the database, if the plugin "SQL auxprop" is used. The socalled "frost patches" unfortunately do not help here as well - given that they are not included in leading Linux distributions which are being used in Enterprise environments. And pam_mysql supports MD5 or SHA1 hashed passwords (aside from plaintext passwords), but only without salts.
And this gap is filled by pam_mapi which provides MAPI-based authentication, that can be used by a SASL daemon for the SMTP service. Typically, Sendmail or Postfix uses "saslauthd" (from Cyrus SASL) and then takes care via pam_mapi for the verification of the user information from the SMTP dialogue. Finally, pam_mapi establishs a connection to the configured Kopano/Zarafa server and performs a login - and the result is returned accordingly to the SMTP service which permits or rejects the outbound e-mail connection.
pam_mapi is licensed under the new BSD license (no advertising, three clause). Alternatively, pam_mapi may be distributed under the terms of the GNU General Public License (GPL), in which case the provisions of the GNU GPL are required instead of the restrictions of the BSD license. This clause is necessary due to a potential conflict between the GNU GPL and the restrictions contained in a BSD-style copyright.
As pam_mapi is a generic PAM module, it could be used for any other PAM related authentication, e.g. at the Apache Webserver. If it is stacked with pam_unix it could allow authentication against Linux system and Kopano/Zarafa users, where a user only needs to exist in one of the two user databases. However pam_mapi provides a limited PAM account functionality, because the existence of an account can be only assured after a succeeded authentication.
Although pam_mapi was primarily developed for use with Kopano/Zarafa and the database plugin, it is not limited to that. However, if the LDAP or Unix plugins of Kopano/Zarafa are used, the usage of pam_unix or pam_ldap should be evaluated. At the moment, Kopano and Zarafa are the only MAPI service providers of MAPI4Linux (which is used by pam_mapi), but pam_mapi theoretically supports various MAPI-based server services (e.g. Microsoft Exchange). OpenChange, another MAPI implementation, even supports MAPI/RPC that is used by Microsoft Exchange, but the rest of the MAPI support is much more incomplete compared to MAPI4Linux, that Kopano or Zarafa uses.
Continuative links regarding pam_mapi:
Added support for Kopano Core 8.0.x, 8.1.x and 8.2.x while working around its (unnecessary) API breakage and a Kopano specific missing header file (bug)