Questions about authentication

Josh Endries jendries at pragmeta.com
Wed Jan 7 10:51:44 EST 2004 

Hello fellow list members,

I'm currently designing (implementing, testing, etc.) a new mail system 
to replace our overworked single Sendmail server. I am testing a setup 
with two servers currently: one running Cyrus 2.1 (and MySQL, which will 
be moved in time), and one running Postfix with LMTP. SASL on both 
servers talks to MySQL for authentication, which seems to work, but 
after reading through some docs again and searching online, I'm not sure 
I understood some concepts correctly (specifically authentication and/or 
authorization).

I planned on using MySQL to define the accounts and passwords (and 
basically everything). This is pretty easy with Postfix, but after 
running into actual delivery issues (mailbox doesn't exist), I'm not 
sure if I can do this the way I hoped. It could be I just don't 
understand something. We host email for dozens of virtual hosts, so I've 
been looking at Cyrus 2.2 also, and will start testing that soon for the 
vhosting capabilities. Woohoo! :)

Basically I'm wondering if I can have Cyrus look to the MySQL server for 
authorization. I know Cyrus looks to SASL, which in turn looks to MySQL 
(through auxprop), for authentication, and I originally thought I could 
do this with authorization also. I thought I read somewhere Cyrus IMAP 
didn't need UNIX accounts to exist, but there may have been a "with 
Kerberos" part in there, or something similar, that I didn't notice. I 
actually don't think I let the difference between the two auth's sink in 
enough at first. Now it looks like I still need a UNIX account for each 
user, which cramps the virtual host setup (I don't like the whole 
"user0014" method, but if I have no alternative...). Or maybe I should 
look into using LDAP or Kerberos, hmmmm.

Reading through the 2.2 docs I saw a section mentioning the ability to 
bounce authorization off of UNIX accounts, Kerberos 4 and 5, and an 
external process "ptloader" for LDAP, etc.. Are there any 
implementations that use ptloader to talk to MySQL (or PostgreSQL, 
or...SQL :))?

Thanks!

More information about the Info-cyrus mailing list