SASL authentication with cyrus-imapd

James B. Byrne byrnejb at harte-lyne.ca
Wed May 23 16:40:24 EDT 2012 

On Wed, May 23, 2012 15:52, Dan White wrote:
.  .  .
> Configuring an ssh tunnel could be done using the '-L' command
> line option to the openssh 'ssh' binary, where you'd initiate
> your connection from the Postfix server. Your local port would
> need to be 143, or you'd need to specify '-O localhost/port_number'.
> That's really outside the scope of what's documented with Cyrus,
> and you'll probably find better ways to do it at google

Well, I have not been able to find much on google respecting this
subject that makes sense to me.  Your suggestion of establishing a
proxy on startup using ssh -L localhost:143:imap.domain.tld:143
certainly seems doable.  Particularly as we use certificate
authentication for the root userids in any case. And this solution
also possesses the virtue that I actually understand what it is meant
to accomplish.  However, since you raised the question, what better
ways might there be?

>
> What database are you using on your IMAP server? If you're using a
> network capable store, like MySQL or LDAP, then you may have better
> options than using the imap backend to saslauthd.
>
> If you're using a local sasldb database, then another option is to
> configure an openldap server using the same sasldb database
> (olcSaslAuxprops: sasldb) and expose authentication to it via the LDAP
> protocol. On your postfix server, you could use the ldap saslauthd
> backend which is more secure and flexible.
>

Our current Cyrus-Imap backend is a standard passwd file.  The users
do not have shells (or rather the shell is nologin) on the imap host
but otherwise it is login authentication. It has been like this since
1995. I only recently discovered that the ability to use imap as an
smtp authentication mechanism existed as up to now our imap and smtp
services co-existed on the same host and the passwd file sufficed for
both.

We are in the process of re-structuring our internal services and
servers.  At the moment LDAP implementation is not on the table. 
Later perhaps as part of a Samba 4 setup but not right now.

I was hoping that we could use imap authentication as a bridge until
we implement a single login solution later.  But the idea of moving
credentials enclair over the wire cannot be entertained.  The ssh
proxy you suggest may indeed overcome this objection.

Thank you.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the Cyrus-sasl mailing list