Plain text password between frontend and backend

Ken Murchison murch at andrew.cmu.edu
Thu Dec 15 08:18:35 EST 2005


Ramya Krishnan wrote:
> Michael Loftis wrote:
> 
>> -nodes IIRC
>>
>> --On December 15, 2005 12:43:53 PM +0530 Ramya Krishnan 
>> <ramya_krishnan at sifycorp.com> wrote:
>>
>>>
>>> Ken Murchison wrote:
>>>
>>>
>>> Because the frontends proxy as the user to the backend, the IMAP LOGIN
>>> command can not be used.  The only plaintext SASL mechanism that can be
>>> used is PLAIN, but you can't use it unless protected by TLS.  Looking at
>>> the CAPABILITY output above, it doesn't look like you've configured TLS.
>>>
>>> You might also be able to fake this by running imapd on the backends 
>>> with
>>> the '-p 2' option.
>>>
>>>
>>> 1. I have 2 backend servers and one proxy-cum/mupdate server. The
>>> password comes as clear text over the network (unsafe) to proxy. Then I
>>> am forced to use TLS between the backend and frontend servers... This
>>> network is safe and i dun want the overhead of ssl... Is there a way to
>>> overcome this
>>
>>
>>
> Do I have to use TLS for communication between the front-end and backend 
> servers??

You have to use a SASL mechanism which allows proxy authentication 
(PLAIN, DIGEST-MD5, KERBEROS).

How can your frontend/backend network be considered safe, when you have 
to allow clients to be able to access backends directly (for referrals)?

-- 
Kenneth Murchison
Systems Programmer
Carnegie Mellon University



More information about the Info-cyrus mailing list