Cyrus IMAP - sync two servers (one Public, one Private)

Aleksandar Milivojevic amilivojevic at pbl.ca
Tue Mar 8 12:37:15 EST 2005 

Charles Marcus wrote:
> So, to summarize, we will have two Cyrus IMAP servers, one Public, one 
> Private. Most employee access will be from the internal, office LAN, but 
> with occasional access from the internet (home, vacation, etc), so the 
> Mailboxes on both servers must be kept in sync. Short delays (up to a 
> few minutes) in the sync process are acceptable.

Have you thought of implementing something simpler and more standard?

Many organizations are solving this problem by using single IMAP server 
on internal LAN, and webmail host in DMZ (that connects to internal IMAP 
server, either directly, or more often through some kind of IMAP proxy). 
  When outside of the office, employees can access their mail using 
webmail interface.  When inside the office, they can access it using 
regular IMAP client.  Actually, I have couple of users that like webmail 
interface so much, they are using it even when they are in the office. 
Horde/IMP is very nice and usable webmail interface.  Squirrel Mail is 
another one.  I kind of preffer IMP, but that's only my preference.

The webmail solution is very good if you don't trust (outside) client 
machines.  For example, you are concerned about employees home machines 
getting infected by viruses/worms/trojans.  All they can directly 
connect to is web server in DMZ on which webmail application is 
installed.  There's no company data stored on that machine.

Second solution would be setting VPN (for example using IPSec).  That 
way, direct access to internal server from outside is not possible.  You 
place VPN server in DMZ, and allow access only for clients connected to 
VPN server (all of them will have encyrpted IPSec tunnel from their home 
machines to your DMZ).

VPN solution could work very nicely.  From security standpoint, just a 
notch bellow webmail solution.  Since you will have firewall between VPN 
machine in DMZ and internal network, you have fine control of what can 
be accessed.  If employees have properly closed-down company laptops on 
which they are not able to install any software, with BIOS passwords 
preventing them to reinstall machine, and with good AV software 
installed, this can also be very secure, and they can use standard IMAP 
clients.  You might allow opt to allow them only access to IMAP proxy 
somewhere in DMZ, instead direct connection to internal IMAP server.

Another solution might be installing IMAP proxy in DMZ.  I'd call it 
least secure of the bunch.

Last option, if you really want to go with two separate servers, is to 
use program such as imapsync.  It will sync mailboxes between two IMAP 
servers.  However, it works only one-way.  So you sync for example from 
inside to out.  If user marks email as read on outside email server, 
it'll get overriden on next sync.  This is because there is no data that 
says when the flags for the message were changed.  Also, if mailboxes 
contain huge number of emails, it can get very very slow.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list