Cyrus, Radius, Radiator, Vasco
Ian G Batten
ian.batten at uk.fujitsu.com
Tue Jan 29 06:19:34 EST 2008
The Cyrus server I run for my employer is sat on our internal
network, and remote users access either the IMAP port or the
associated Squirrelmail instance via our VPN. They come in via a
Cisco IPSec VPN server, secured with SecureID.
My private Cyrus server, which sits in borrowed space in someone
else's datacentre, doesn't have such luxuries. The IMAP port is
openly available, and there is a Squirrelmail server that will allow
anyone to attempt to log in. All the IMAP clients that access it use
STARTTLS and/or one of the MD5 authentication styles, the
Squirrelmail server only operates over https and the passwords are
generated with /dev/random, so I've not got too much to worry about.
But the datacentre is a University CS department where I do some
lecturing, so all sorts of things could happen.
I'm considering using the Radiator product, which directly supports
Vasco tags and will run on Solaris (my platform of choice), and a
Vasco evaluation kit to upgrade the security. This should only
involve having saslauthd talk to Radius via PAM, but my experience of
incorporating SecureID into other systems is that there are many
little places where things go wrong. Has anyone done anything similar?
More information about the Info-cyrus