how to authenticate on localhost without password?

Brian J. Murrell brian at interlinx.bc.ca
Sun Feb 26 12:36:42 EST 2012


Subject might be a bit misleading but here is the problem...

I have a cyrus imap server serving a userbase.  Of course with any mail
system comes the issue of handling spam.  My users each have two folders
in their account: "Junk" and "Not Junk" where they put their spam and
mis-identifed spam.

On the imap server each user has a system (i.e. linux) account complete
with a SpamAssassin configuration including bayesian classification
database, etc. so that each user has their own database of what's spam
and what isn't.

That means that for each user to classify their spam/ham the "sa-learn"
process has to run as their own uid.  To achieve that goal, as well as
timely processing of the spam and ham folders, each user has a process
on the mail server running as their uid which monitors those mailboxes
and processes them (and/or each user has jobs run from their cron to
periodically do the same).

The question comes now, how can I have a master process which spawns all
of these per-user threads/processes give them some sort of credential
that allows them to get access to their imap account, without storing a
list of accounts/passwords in a file that would need to keep
synchronized with their system passwords (not to mention the security
nightmare it would be to store account passwords in plaintext).

FWIW, this configuration is Kerberos authenticated/authorized.

Or is there some alternative interface to the cyrus imap folder
mechanism (i.e. not through the IMAP protocol) that I am completely
missing, that would be better suited to this problem?

One possible solution I can think of that would use the IMAP protocol
for all of this is to create a single IMAP account that will be given
access (i.e. using cyrus' ACLs) to every users' Junk, Not Junk and INBOX
folders in order to read the messages, learn them and in the case of
ham, move them back to their INBOX.

But before I go down this road I just want to make sure it's really the
right road or if there is some alternative that I am just not
recognizing yet.

b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20120226/90f7317a/attachment.bin 


More information about the Info-cyrus mailing list