Question: How to specify path to saslauthd mux socket in imapd.conf?

Mon Dec 9 17:27:23 EST 2002

On Mon, 9 Dec 2002, Kevin M. Myer wrote:

> Hi,
>
> With the recent Cyrus IMAP buffer overflow exploit, its time to upgrade our mail
> server.  I've been sitting on a Cyrus IMAP 2.1.X CVS install from right before
> the SASL2 requirement went into effect and have been holding off on upgrading
> until I can figure out a decent path to go from SASL1 -> SASL2 and still keep
> LDAP authentication working.  Currently, I'm using Simon's LDAP authentication
> patch for SASLv1.  I have four different domains, all being served out of
> different trees on the same directory server.  With sasl_auto_transition turned
> on, CRAM-MD5 and DIGEST-MD5 authentication works after an initial plaintext
> login (done at account setup on a local network).  Since saslauthd only supports
> plaintext passwords for LDAP authentication, I'm thinking that if I trade the
> stronger SASL authentication off for requiring TLS for the entire IMAP
> conversation (via , I don't give anything up security-wise.  In other words, I
> can rely on the transport layer to provide encryption, instead of a higher layer
> and that way email can't be sniffed either.
>
> So I upgraded to the latest versions of Cyrus SASL (2.1.10) and Cyrus IMAP
> (2.1.11) today on my test server.  I got saslauthd working fine with LDAP for
> one Cyrus IMAP "virtual domain" (the altconfig type meaning I specify a full set
> of services per domain, bound to a unique IP address and I have a unique
> imapd.conf for each domain, I'm not talking about the newer virtual domain
> support).  What I still need to figure out is how to specify which saslauthd mux
> socket for each domain's imap process to connect to.  I know how to start
> multiple saslauthd's and specify which socket for them to create but I need to
> know how to specify in /etc/imapd.conf which of those sockets to connect to.  I
> can't seem to find that documented anywhere (probably because its only in this
> special case scenario that you'd even need to use it :)
>
> Also, is it reasonable to think that most major IMAP clients could handle
> talking to a server that only listens on imaps (basically my forcing of TLS idea
> above)?  I know my webmail client, IMP, can handle that but can most other
> standalone clients handle imaps well and will they barf over self-signed
> certificates?
>
> As always, if there's a simpler way to do this whole thing, I'd like to hear
> about it.  What I have now works extremely well, so I'm not inclined to change
> it too much but I could be missing something very obvious too.  I know there's
> supposedly an OpenLDAP 2.X internal auxprop plugin in the works but that won't
> help me too much since our directory server is iPlanet DS.  Maybe its time to
> bite the bullet and migrate directory server platforms too...
>

OpenLDAP internal auxprop plugin works for OpenLDAP only.  You will need
to build your own or try a few plugins available on the web.  One is
available in the contrib directory of the latest OpenLDAP tarball.

-- 
Igor