Cyrus IMAP server + multiple kerberos realms/virtual domains

Derrick J Brashear shadow at dementia.org
Sat Dec 4 15:51:20 EST 2004


On Thu, 2 Dec 2004, Nikola Milutinovic wrote:

>> But all of these are really far more complicated than just doing key 
>> exchange between realms and putting all the mailboxes in one realm; more 
>> recent cyrus' murder features are actually being used by cmu to have 2 
>> realms (actually 3, but the 3rd is a test realm) with a common mailbox 
>> namespace behind it. but, even that may be more complex than you need or 
>> want. I'm not sure.
>
> I really don't want to complicate things, I've learned that lesson a long 
> time ago.
>
> What would you advise me to do in my future setup?

Key exchange definitely makes things simpler. In imapd.conf, say
loginrealms: realm1 realm2 realm3 
loginuseacl: t

then set acls to include e.g. user at realm2 and user at realm3 on the mailbox 
for user (assuming realm1 is local) when you create a mailbox.

that's the simplest.

> I will definitely have two ADS domains, packed with users. They will all use 
> OE and I can and will setup two VirtualDomains on the IMAP. The part that 
> warries me is authentication. Will they be willing to talk to the IMAP server 
> from another Kerberos realm?

My mail clients do, but I can't comment on OE.

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list