Plain text password between frontend and backend
Ken Murchison
murch at andrew.cmu.edu
Thu Dec 15 08:18:35 EST 2005
Ramya Krishnan wrote:
> Michael Loftis wrote:
>
>> -nodes IIRC
>>
>> --On December 15, 2005 12:43:53 PM +0530 Ramya Krishnan
>> <ramya_krishnan at sifycorp.com> wrote:
>>
>>>
>>> Ken Murchison wrote:
>>>
>>>
>>> Because the frontends proxy as the user to the backend, the IMAP LOGIN
>>> command can not be used. The only plaintext SASL mechanism that can be
>>> used is PLAIN, but you can't use it unless protected by TLS. Looking at
>>> the CAPABILITY output above, it doesn't look like you've configured TLS.
>>>
>>> You might also be able to fake this by running imapd on the backends
>>> with
>>> the '-p 2' option.
>>>
>>>
>>> 1. I have 2 backend servers and one proxy-cum/mupdate server. The
>>> password comes as clear text over the network (unsafe) to proxy. Then I
>>> am forced to use TLS between the backend and frontend servers... This
>>> network is safe and i dun want the overhead of ssl... Is there a way to
>>> overcome this
>>
>>
>>
> Do I have to use TLS for communication between the front-end and backend
> servers??
You have to use a SASL mechanism which allows proxy authentication
(PLAIN, DIGEST-MD5, KERBEROS).
How can your frontend/backend network be considered safe, when you have
to allow clients to be able to access backends directly (for referrals)?
--
Kenneth Murchison
Systems Programmer
Carnegie Mellon University
More information about the Info-cyrus
mailing list