IMAPS with extra authorization.
Dan White
dwhite at olp.net
Thu Jul 22 00:02:52 EDT 2010
On 21/07/10 21:07 +0200, Josef Karliak wrote:
> All this procedure is because users has weak passwords, so we let them
> in the company (using only IMAP), but if anybody want to has IMAPS from
> outside of company (from home, etc...) we force him to create strong
> password and let IMAPS authorize by this file. And it is not allowed to
> use anyone else authorization from IMAPS... Quuestion - is this possible
> at all ? :)
Another approach is to take advantage of service specific sasl
configuration.
For instance, if you have cyrus.conf configuration like:
imap cmd="imapd -U 30 -D" listen="imap" prefork=0
imaps cmd="imapd -s -U 30" listen="imaps" prefork=0
Then you could create a default SASL configuration in /etc/imapd.conf of:
sasl_pwcheck_method: saslauthd
#sasl_saslauthd_path: <system dependant default>
and a service specific one (for imaps) of:
imaps_sasl_pwcheck_method: saslauthd
imaps_sasl_saslauthd_path: /var/chroot/var/run/saslauthd/mux
Then run two instances of saslauthd, where the first one authenticates via
your system pam libraries, and another instance runs inside a chrooted
environment (for instance), and authenticates to the pam libraries inside
of the chroot.
--
Dan White
More information about the Info-cyrus
mailing list