On 05/23/12 15:20 -0400, James B. Byrne wrote:
If there is a better venue to ask this question then I would appreciate being informed of where that is. I am investigating how to authenticate smtp submission connections to our postfix server from our cyrus-imap server. In our case these two services reside on separate hosts. I have followed the postfix guide respecting configuring saslauthd to use imap (-O rimap) on a remote host. However, the postfix document rather cryptically warns that such authentication is enclaire and that an ssh tunnel between the smtp and imap hosts is advised. My question is how is this secure tunnel done / configured? Is there any way to use saslauth to directly connect via imaps on port 993?
The saslauthd imap backend does not appear to have any support for imaps, or for SASL authentication. You're stuck with 'user pass' authentication, which would result in your usernames and passwords being sent in the clear. Configuring an ssh tunnel could be done using the '-L' command line option to the openssh 'ssh' binary, where you'd initiate your connection from the Postfix server. Your local port would need to be 143, or you'd need to specify '-O localhost/port_number'. That's really outside the scope of what's documented with Cyrus, and you'll probably find better ways to do it at google. What database are you using on your IMAP server? If you're using a network capable store, like MySQL or LDAP, then you may have better options than using the imap backend to saslauthd. If you're using a local sasldb database, then another option is to configure an openldap server using the same sasldb database (olcSaslAuxprops: sasldb) and expose authentication to it via the LDAP protocol. On your postfix server, you could use the ldap saslauthd backend which is more secure and flexible. -- Dan White
