sync_authname usability

Rudy Gevaert Rudy.Gevaert at
Mon Jul 5 07:51:49 EDT 2010

Dear list,

I want to share the following remarks concerning sync_user configuration 
and usage.

In a setup where the master and replica are on different servers and you 
don't mix master and replica's you can set up rather good security model.

master imapd.conf:
admin: cyrus
sync_authname: syncuser

replica: imapd.conf
admins: cyrus, syncuser

However if you are running replica's and masters on the same server (of 
different instances) you'll have your sync_password on the server in 
plain text.  And thus the possibility of getting it abused (only on the 

However, if you want to be able to failback, and you'll need to add your 
syncuser to the admins of the master server.

In the end, your are just easier and better of in using one user for 
replication and admin.

However I like to possibility to have a different user for replication.

It would maybe be nice to have some more privilege separation between 
the replication and admin users.  E.g. the replication user don't have 
to be in the admin list.   Wouldn't it?

I agree one could use some kind of password (Kerberos or md5 or ssl 
certs.) less authentication, but that adds extra complexity if you don't 
have (had) that already running.

Kind regards,


More information about the Cyrus-devel mailing list