Chris Pepper wrote, at 01/13/2008 06:48 PM: > Arrgh! SquirrelMail offers plain, cram-md5, and digest-md5, and only > plain appears to work against /etc/shadow. I don't want the overhead of > running TLS over loopback, so I think I will have to do without forcing > secure auth for non-SSL IMAP/POP, and use the firewall to prevent > Internet users from connecting over the Internet w/o SSL (so I don't > have to worry about them unwisely using PLAIN or LOGIN over plaintext > connection). Using TLS over loopback isn't entirely crazy, especially if webmail accounts only for a fraction of your service (unless your platform has a serious problem maintaining entropy). There are also compelling reasons to switch to sasldb for mail accounts. I used /etc/shadow for years, but I have to say I'm happy I switched, in spite of some of the negatives. The truth is that less than 1% of my mail users need shell accounts, so there's no incentive to create them as system users, and there's no obstacle to providing shells to the users that need them. Creating users in sasldb isn't that much harder, and is more in keeping with the black box paradigm employed by cyrus. Some mail clients use the md5 methods by default, or failover to them, so it's worth adding support. Give it a try, you might like it. > Pity. It would be nice to have the option of doing IMAP on the IMAP > port without worrying about unencrypted plaintext auth. > > Thanks, > > Chris > PS-Bron, I don't want to deal with multiple instances, and I don't need > too, since I can firewall IMAP (non-SSL) and only let SquirrelMail > connect to port 143. I'm not looking forward to the SpamAssassin/ClamAV > sandwich on the SMTP side. Don't co-opt a standard port for a nonstandard purpose. Bron & Phil have both indicated how Cyrus IMAP offers additional options. It's not always obvious in the documentation, but there are roughly three kinds of options: Global settings Named service settings Arguments Don't be deceived by the service names in cyrus.conf; they are just arbitrary strings. You can create an imapd service dedicated to SquirrelMail and call it anything you want: imap cmd="imapd" listen="192.168.1.100:143" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 nuts cmd="imapd" listen="localhost:143" prefork=0 Just make sure you avoid IP or port conflicts. Now you'll need to either prefix the appropriate settings in imapd.conf for each named service: imap_tls_cert_file: /path/to/cert.crt imaps_tls_cert_file: /path/to/cert.crt nuts_tls_cert_file: disabled ... Or simply create a dedicated configuration file for the new service, and specify it in cyrus.conf: nuts cmd="imapd -C /etc/nuts.conf" listen="localhost:143" prefork=0 So, what you want to do is supported, it's just not intuitively obvious, because there's a fair amount of flexibility and interaction between settings at different levels. NOTE: I've set this up in the past, but didn't confirm the examples above. Be sure to consult the documentation for your version of Cyrus IMAP. Using a separate imapd config file may be the safest way to get your alternate service running to your specifications without disrupting an existing configuration too much (and follow Bron's advice and version control everything). ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
