Cyrus, Radius, Radiator, Vasco

Tue Jan 29 15:04:10 EST 2008

Hi,

Ian G Batten wrote:

> The Cyrus server I run for my employer is sat on our internal  
> network, and remote users access either the IMAP port or the  
> associated Squirrelmail instance via our VPN.  They come in via a  
> Cisco IPSec VPN server, secured with SecureID.
> 
> My private Cyrus server, which sits in borrowed space in someone  
> else's datacentre, doesn't have such luxuries.   The IMAP port is  
> openly available, and there is a Squirrelmail server that will allow  
> anyone to attempt to log in.  All the IMAP clients that access it use  
> STARTTLS and/or one of the MD5 authentication styles, the  
> Squirrelmail server only operates over https and the passwords are  
> generated with /dev/random, so I've not got too much to worry about.   
> But the datacentre is a University CS department where I do some  
> lecturing, so all sorts of things could happen.
> 
> I'm considering using the Radiator product, which directly supports  
> Vasco tags and will run on Solaris (my platform of choice), and a  
> Vasco evaluation kit to upgrade the security.  This should only  
> involve having saslauthd talk to Radius via PAM, but my experience of  
> incorporating SecureID into other systems is that there are many  
> little places where things go wrong.  Has anyone done anything similar?

We have our Cyrus authenticate to saslauthd via pam_radius to a Radiator
server, so that works. We're also using Radiator with Vasco tokens (on
Linux), and that works too. But I don't think it will be very easy to
combine the two: the Vasco tokens provide you with one-time passwords,
and for IMAP access, you'll have more then just one connection. My
Thunderbird client already makes a new connection for each folder I
open, squirrelmail isn't much better. (Only thing is that you could
cache the "one time" password in Radiator, but you'll end up having
different problems if you open more then one client.)

We use these Vasco tokens actually for administrators, authenticating
for SSH and so forth. The other use case is our single-signon
environment. There you might have more luck, as you login just once, and
get some kind of cookie and session variables as prove that you logged
in. As soon as you can use that within squirrelmail - that would be
fine. We didn't do that yet; although I do think it should be possible:
check whether the user is logged in, and use the cyrus admin user to
authorize as the real user. I never had the time to play with that.

The non-admin users also have the option of authenticating to the SSO
system using PKI certificates; and actually that is also my last
suggestion: we don't just use that for our web environment, but also for
e-mail! There is actually an SSL proxy based on stunnel in front of our
Cyrus setup that enforces the client certificates on imaps. Cyrus could
do this as well, with tls_require_cert set to 1, but we have stunnel as
some extra paranoidity I guess (and/or historic).

Perhaps certificates can be of use? (You could easily create them with
TinyCA or something.) Only issue we have is with "nomadic use": if you
end up at an internet cafe, it's still better to use a one-time-password
token then install your certificate locally. (And that is why we also
have that as an option for the SSO system - but then I still have to
login using username/password afterwards in our case - not very SSO.)
But people rarely use webmail here, and TB works just fine with
client-certificates. (Otherwise you could use stunnel on the client side...)

Regards,
Paul

P.S. If you want to have more similarities with your employers setup:
you could also run a VPN (for instance OpenVPN) with token based
authentication. Something else I still want to try, although we're doing
this with our certificates too - I'm quite sure it is possible to hook
it up to pam for instance.