Cyrus IMAP - sync two servers (one Public, one Private)
amilivojevic at pbl.ca
Tue Mar 8 12:37:15 EST 2005
Charles Marcus wrote:
> So, to summarize, we will have two Cyrus IMAP servers, one Public, one
> Private. Most employee access will be from the internal, office LAN, but
> with occasional access from the internet (home, vacation, etc), so the
> Mailboxes on both servers must be kept in sync. Short delays (up to a
> few minutes) in the sync process are acceptable.
Have you thought of implementing something simpler and more standard?
Many organizations are solving this problem by using single IMAP server
on internal LAN, and webmail host in DMZ (that connects to internal IMAP
server, either directly, or more often through some kind of IMAP proxy).
When outside of the office, employees can access their mail using
webmail interface. When inside the office, they can access it using
regular IMAP client. Actually, I have couple of users that like webmail
interface so much, they are using it even when they are in the office.
Horde/IMP is very nice and usable webmail interface. Squirrel Mail is
another one. I kind of preffer IMP, but that's only my preference.
The webmail solution is very good if you don't trust (outside) client
machines. For example, you are concerned about employees home machines
getting infected by viruses/worms/trojans. All they can directly
connect to is web server in DMZ on which webmail application is
installed. There's no company data stored on that machine.
Second solution would be setting VPN (for example using IPSec). That
way, direct access to internal server from outside is not possible. You
place VPN server in DMZ, and allow access only for clients connected to
VPN server (all of them will have encyrpted IPSec tunnel from their home
machines to your DMZ).
VPN solution could work very nicely. From security standpoint, just a
notch bellow webmail solution. Since you will have firewall between VPN
machine in DMZ and internal network, you have fine control of what can
be accessed. If employees have properly closed-down company laptops on
which they are not able to install any software, with BIOS passwords
preventing them to reinstall machine, and with good AV software
installed, this can also be very secure, and they can use standard IMAP
clients. You might allow opt to allow them only access to IMAP proxy
somewhere in DMZ, instead direct connection to internal IMAP server.
Another solution might be installing IMAP proxy in DMZ. I'd call it
least secure of the bunch.
Last option, if you really want to go with two separate servers, is to
use program such as imapsync. It will sync mailboxes between two IMAP
servers. However, it works only one-way. So you sync for example from
inside to out. If user marks email as read on outside email server,
it'll get overriden on next sync. This is because there is no data that
says when the flags for the message were changed. Also, if mailboxes
contain huge number of emails, it can get very very slow.
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus