Question: How to specify path to saslauthd mux socket in imapd.conf?

Kevin M. Myer kevin_myer at iu13.org
Mon Dec 9 16:43:58 EST 2002 

Hi,

With the recent Cyrus IMAP buffer overflow exploit, its time to upgrade our mail
server.  I've been sitting on a Cyrus IMAP 2.1.X CVS install from right before
the SASL2 requirement went into effect and have been holding off on upgrading
until I can figure out a decent path to go from SASL1 -> SASL2 and still keep
LDAP authentication working.  Currently, I'm using Simon's LDAP authentication
patch for SASLv1.  I have four different domains, all being served out of
different trees on the same directory server.  With sasl_auto_transition turned
on, CRAM-MD5 and DIGEST-MD5 authentication works after an initial plaintext
login (done at account setup on a local network).  Since saslauthd only supports
plaintext passwords for LDAP authentication, I'm thinking that if I trade the
stronger SASL authentication off for requiring TLS for the entire IMAP
conversation (via , I don't give anything up security-wise.  In other words, I
can rely on the transport layer to provide encryption, instead of a higher layer
and that way email can't be sniffed either.

So I upgraded to the latest versions of Cyrus SASL (2.1.10) and Cyrus IMAP
(2.1.11) today on my test server.  I got saslauthd working fine with LDAP for
one Cyrus IMAP "virtual domain" (the altconfig type meaning I specify a full set
of services per domain, bound to a unique IP address and I have a unique
imapd.conf for each domain, I'm not talking about the newer virtual domain
support).  What I still need to figure out is how to specify which saslauthd mux
socket for each domain's imap process to connect to.  I know how to start
multiple saslauthd's and specify which socket for them to create but I need to
know how to specify in /etc/imapd.conf which of those sockets to connect to.  I
can't seem to find that documented anywhere (probably because its only in this
special case scenario that you'd even need to use it :)

Also, is it reasonable to think that most major IMAP clients could handle
talking to a server that only listens on imaps (basically my forcing of TLS idea
above)?  I know my webmail client, IMP, can handle that but can most other
standalone clients handle imaps well and will they barf over self-signed
certificates?

As always, if there's a simpler way to do this whole thing, I'd like to hear
about it.  What I have now works extremely well, so I'm not inclined to change
it too much but I could be missing something very obvious too.  I know there's
supposedly an OpenLDAP 2.X internal auxprop plugin in the works but that won't
help me too much since our directory server is iPlanet DS.  Maybe its time to
bite the bullet and migrate directory server platforms too...

Thanks,
Kevin

-- 
Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717) 560-6140

More information about the Info-cyrus mailing list