On Wed, May 23, 2012 15:52, Dan White wrote: . . . > Configuring an ssh tunnel could be done using the '-L' command > line option to the openssh 'ssh' binary, where you'd initiate > your connection from the Postfix server. Your local port would > need to be 143, or you'd need to specify '-O localhost/port_number'. > That's really outside the scope of what's documented with Cyrus, > and you'll probably find better ways to do it at google Well, I have not been able to find much on google respecting this subject that makes sense to me. Your suggestion of establishing a proxy on startup using ssh -L localhost:143:imap.domain.tld:143 certainly seems doable. Particularly as we use certificate authentication for the root userids in any case. And this solution also possesses the virtue that I actually understand what it is meant to accomplish. However, since you raised the question, what better ways might there be? > > What database are you using on your IMAP server? If you're using a > network capable store, like MySQL or LDAP, then you may have better > options than using the imap backend to saslauthd. > > If you're using a local sasldb database, then another option is to > configure an openldap server using the same sasldb database > (olcSaslAuxprops: sasldb) and expose authentication to it via the LDAP > protocol. On your postfix server, you could use the ldap saslauthd > backend which is more secure and flexible. > Our current Cyrus-Imap backend is a standard passwd file. The users do not have shells (or rather the shell is nologin) on the imap host but otherwise it is login authentication. It has been like this since 1995. I only recently discovered that the ability to use imap as an smtp authentication mechanism existed as up to now our imap and smtp services co-existed on the same host and the passwd file sufficed for both. We are in the process of re-structuring our internal services and servers. At the moment LDAP implementation is not on the table. Later perhaps as part of a Samba 4 setup but not right now. I was hoping that we could use imap authentication as a bridge until we implement a single login solution later. But the idea of moving credentials enclair over the wire cannot be entertained. The ssh proxy you suggest may indeed overcome this objection. Thank you. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
