Question: How to specify path to saslauthd mux socket in imapd.conf?

simon.brady at simon.brady at
Tue Dec 10 05:18:32 EST 2002

On Mon, 9 Dec 2002, Kevin M. Myer wrote:

> What I still need to figure out is how to specify which saslauthd mux
> socket for each domain's imap process to connect to. [...] I can't seem
> to find that documented anywhere (probably because its only in this
> special case scenario that you'd even need to use it :)
What you're describing sounds almost like a solution to a problem I'm
grappling with, but I suspect not quite - any suggestions on the Right Way
to proceed here would be welcomed:

I'm upgrading an inherited 1.5.19 installation to 2.1.11, but have to cope 
with some local authentication madness. For historical reasons we 
authenticate to different LDAP servers depending upon the usercode (staff 
and students), and the 1.5 code has been horribly hacked to support this.

Taking the LDAP madness as read, it sounds like the way to solve this in
Cyrus is to go to impad-2_2 in CVS and use named virtual domains, with
users logging in as user at staff or user at student. Alas, that's not a
realistic short-term option for me (as a Cyrus newbie I'd rather stay away
from CVS, and the upgrade has to be invisible to users wherever possible).

So what I've been considering is applying a similar patch to
saslauthd/lak.c to choose an LDAP config based on the usercode. Obviously
I'd prefer not to mutilate the code if I could avoid it - if I instead ran
two saslauthd instances with their own configs, is there a way to make
imapd 2.1 dynamically choose a socket based on some per-user property?  
(This property needn't be the usercode - for example, we keep staff and
students in separate partitions.)

Like I said, any advice would be gratefully received!

> Also, is it reasonable to think that most major IMAP clients could
> handle talking to a server that only listens on imaps (basically my
> forcing of TLS idea above)?  I know my webmail client, IMP, can handle
> that but can most other standalone clients handle imaps well and will
> they barf over self-signed certificates?

Following up on Rob's list, my tests show that Outlook 2000, Pine 4.44 and 
Mozillia 1.0.1 complain about self-signed certs but let you use them. 

Eudora 5.2 is more interesting: they've fixed the broken STARTTLS support
that plagued 5.0/5.1 so that it really does start TLSv1 on port 143 (their
IMAPS (port 993) support is for TLSv1 with an SSLv2 hello). However, it 
will fail the connection if you're using a self-signed cert, and Qualcomm 
support doc 2323HQ tells you to go into Certificate Manager and add the 
cert to your trusted list.

Which is all nice and sensible, except that running it in Light mode you
have to open the "Last SSL Info" dialog to get to Cert Manager, and you
can't open that dialog until you've had a successful SSL connection.

Simon Brady                             mailto:simon.brady at
ITS Technical Services
University of Otago, Dunedin, New Zealand

More information about the Info-cyrus mailing list