Cyrus, Radius, Radiator, Vasco

[Ian G Batten]

The Cyrus server I run for my employer is sat on our internal  
network, and remote users access either the IMAP port or the  
associated Squirrelmail instance via our VPN.  They come in via a  
Cisco IPSec VPN server, secured with SecureID.

My private Cyrus server, which sits in borrowed space in someone  
else's datacentre, doesn't have such luxuries.   The IMAP port is  
openly available, and there is a Squirrelmail server that will allow  
anyone to attempt to log in.  All the IMAP clients that access it use  
STARTTLS and/or one of the MD5 authentication styles, the  
Squirrelmail server only operates over https and the passwords are  
generated with /dev/random, so I've not got too much to worry about.   
But the datacentre is a University CS department where I do some  
lecturing, so all sorts of things could happen.

I'm considering using the Radiator product, which directly supports  
Vasco tags and will run on Solaris (my platform of choice), and a  
Vasco evaluation kit to upgrade the security.  This should only  
involve having saslauthd talk to Radius via PAM, but my experience of  
incorporating SecureID into other systems is that there are many  
little places where things go wrong.  Has anyone done anything similar?

ian