[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)

Rob Siemborski rjs3 at andrew.cmu.edu
Fri Jan 2 12:31:30 EST 2004

On Fri, 2 Jan 2004, Paul Boven wrote:

> Security is a very important thing. And security to me means encryption,
> not only of the authentication phase but of the whole session. Now with
> HTTPS I know you loose the ability to support virtual domains, because
> the TLS session must be setup before the requested URL is transferred.

While this is definately true in HTTP (as sensitive information travesrses
the network otherwise unencrypted), it is no where near as important in
IMAP, unless you are concerned about people knowing what mailboxes you
select (or if you use a mailbox that only gets APPENDed to).

In almost every case, all of the information available in Cyrus has
already crossed the network unencrypted, be it via SMTP between sites or
via NNTP from a feeder peer.  So, the contents of the messages have
already been exposed, so the *content* isn't secure anyway.

The only argument I currently completely understand for an IP-only based
setup is that of sites that need to distinguish ANONYMOUS users between
domains (and prehaps that is good enough).


Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

More information about the Info-cyrus mailing list