SASL authentication with cyrus-imapd

[Dan White]

On 05/23/12 15:20 -0400, James B. Byrne wrote:
>If there is a better venue to ask this question then I would
>appreciate being informed of where that is.
>
>I am investigating how to authenticate smtp submission connections to
>our postfix server from our cyrus-imap server.  In our case these two
>services reside on separate hosts.
>
>I have followed the postfix guide respecting configuring saslauthd to
>use imap (-O rimap) on a remote host.  However, the postfix document
>rather cryptically warns that such authentication is enclaire and that
>an ssh tunnel between the smtp and imap hosts is advised.
>
>My question is how is this secure tunnel done / configured?  Is there
>any way to use saslauth to directly connect via imaps on port 993?

The saslauthd imap backend does not appear to have any support for imaps,
or for SASL authentication. You're stuck with 'user pass' authentication,
which would result in your usernames and passwords being sent in the clear.

Configuring an ssh tunnel could be done using the '-L' command line option
to the openssh 'ssh' binary, where you'd initiate your connection from the
Postfix server. Your local port would need to be 143, or you'd need to
specify '-O localhost/port_number'. That's really outside the scope of
what's documented with Cyrus, and you'll probably find better ways to do it
at google.

What database are you using on your IMAP server? If you're using a network
capable store, like MySQL or LDAP, then you may have better options than
using the imap backend to saslauthd.

If you're using a local sasldb database, then another option is to
configure an openldap server using the same sasldb database
(olcSaslAuxprops: sasldb) and expose authentication to it via the LDAP
protocol. On your postfix server, you could use the ldap saslauthd backend
which is more secure and flexible.

-- 
Dan White