JOYDEEP wrote:
thanks a lot for so in depth discussion. I have already enabled SSL encryption :-) as I have come to know from some documentation that the STARTTLS is stillnot very standard and the client side support for it is not become standard too.
Actually, it's very standardized and widely supported by nearly all new versions of client software. You only need to consider alternatives for existing legacy clients and perhaps newer buggy ones.
and now I am going for the secured authentication. I may be permitted to give here the main.cf so that you can suggest the necessary tweaking I need.
For the most part, this looks good.
------------------------------------------------------------------------------------------------- configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: yes
This is fine, as long as you've considered the risk and educated your users to use the most secure approach available. It's quite trivial to decode LOGIN authentication, if it can be sniffed on the wire.
sasl_mech_list: LOGIN PLAIN
Consider supporting CRAM-MD5 and DIGEST-MD5 (see below).
allowanonymouslogin: no autocreatequota: 10000 reject8bit: no quotawarn: 90 timeout: 30 poptimeout: 10 dracinterval: 0 drachost: localhost
Are you actually using drac? It's hard to make a case for POP-before-SMTP, these days. I'd disable it in favor of per-user authentication.
sasl_pwcheck_method: saslauthd
Consider switching to auxprop so you can support CRAM-MD5 and DIGEST-MD5. Administering sasldb2 is no harder than maintaining local system users, but I feel it narrows the risk. There are two sides to this argument, so do some research before you make your decision.
#auxprop saslauthd #sasl_auxprop_plugin: sasldb2 servername:linux.kolkatainfoservices.in lmtp_overquota_perm_failure: no lmtp_downcase_rcpt: yes # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/openldap/myca/servercert.pem tls_key_file: /etc/openldap/myca/serverkey.pem tls_ca_file: /etc/openldap/myca/cacert.pem tls_ca_path: /etc/openldap/myca/ tls_require_cert: no tlscache_db: berkeley unixhierarchysep: yes
Do you need to support dots in usernames or mailboxes? This is purely a matter of choice, but not all systems support usernames with dots, so it may affect future migrations to other IMAP servers. I prefer to have logins without dots, but allow dots in the local part of aliases. Of course, if you have existing accounts that already contain dots, you'll probably need this for migration.
virtdomains: yes defaultdomain: kolkatainfoservices.in loginrealms: kolkatainfoservices.in hashimapspool: true lmtpsocket: /var/lib/imap/socket/lmtp
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
