Questions about authentication

Andrew Morgan morgan at orst.edu
Wed Jan 7 11:29:01 EST 2004



On Wed, 7 Jan 2004, Josh Endries wrote:

> Hello fellow list members,
>
> I'm currently designing (implementing, testing, etc.) a new mail system
> to replace our overworked single Sendmail server. I am testing a setup
> with two servers currently: one running Cyrus 2.1 (and MySQL, which will
> be moved in time), and one running Postfix with LMTP. SASL on both
> servers talks to MySQL for authentication, which seems to work, but
> after reading through some docs again and searching online, I'm not sure
> I understood some concepts correctly (specifically authentication and/or
> authorization).
>
> I planned on using MySQL to define the accounts and passwords (and
> basically everything). This is pretty easy with Postfix, but after
> running into actual delivery issues (mailbox doesn't exist), I'm not
> sure if I can do this the way I hoped. It could be I just don't
> understand something. We host email for dozens of virtual hosts, so I've
> been looking at Cyrus 2.2 also, and will start testing that soon for the
> vhosting capabilities. Woohoo! :)
>
> Basically I'm wondering if I can have Cyrus look to the MySQL server for
> authorization. I know Cyrus looks to SASL, which in turn looks to MySQL
> (through auxprop), for authentication, and I originally thought I could
> do this with authorization also. I thought I read somewhere Cyrus IMAP
> didn't need UNIX accounts to exist, but there may have been a "with
> Kerberos" part in there, or something similar, that I didn't notice. I
> actually don't think I let the difference between the two auth's sink in
> enough at first. Now it looks like I still need a UNIX account for each
> user, which cramps the virtual host setup (I don't like the whole
> "user0014" method, but if I have no alternative...). Or maybe I should
> look into using LDAP or Kerberos, hmmmm.
>
> Reading through the 2.2 docs I saw a section mentioning the ability to
> bounce authorization off of UNIX accounts, Kerberos 4 and 5, and an
> external process "ptloader" for LDAP, etc.. Are there any
> implementations that use ptloader to talk to MySQL (or PostgreSQL,
> or...SQL :))?
>
> Thanks!

All you need to do is create mailboxes in Cyrus (user.user0014) and Cyrus'
lmtpd will start accepting mail for them.  I don't believe there is any
special authorization check done using SASL.  You definately don't need to
create unix accounts for all your users.

	Andy





More information about the Info-cyrus mailing list