IMAPS with extra authorization.

Dan White dwhite at
Thu Jul 22 00:02:52 EDT 2010

On 21/07/10 21:07 +0200, Josef Karliak wrote:
>   All this procedure is because users has weak passwords, so we let them 
> in the company (using only IMAP), but if anybody want to has IMAPS from 
> outside of company (from home, etc...) we force him to create strong 
> password and let IMAPS authorize by this file. And it is not allowed to 
> use anyone else authorization from IMAPS... Quuestion - is this possible 
> at all ? :)

Another approach is to take advantage of service specific sasl

For instance, if you have cyrus.conf configuration like:

imap            cmd="imapd -U 30 -D" listen="imap" prefork=0 
imaps           cmd="imapd -s -U 30" listen="imaps" prefork=0 

Then you could create a default SASL configuration in /etc/imapd.conf of:

sasl_pwcheck_method: saslauthd
#sasl_saslauthd_path: <system dependant default>

and a service specific one (for imaps) of:

imaps_sasl_pwcheck_method: saslauthd
imaps_sasl_saslauthd_path: /var/chroot/var/run/saslauthd/mux

Then run two instances of saslauthd, where the first one authenticates via
your system pam libraries, and another instance runs inside a chrooted
environment (for instance), and authenticates to the pam libraries inside
of the chroot.

Dan White

More information about the Info-cyrus mailing list