The Cyrus server I run for my employer is sat on our internal network, and remote users access either the IMAP port or the associated Squirrelmail instance via our VPN. They come in via a Cisco IPSec VPN server, secured with SecureID. My private Cyrus server, which sits in borrowed space in someone else's datacentre, doesn't have such luxuries. The IMAP port is openly available, and there is a Squirrelmail server that will allow anyone to attempt to log in. All the IMAP clients that access it use STARTTLS and/or one of the MD5 authentication styles, the Squirrelmail server only operates over https and the passwords are generated with /dev/random, so I've not got too much to worry about. But the datacentre is a University CS department where I do some lecturing, so all sorts of things could happen. I'm considering using the Radiator product, which directly supports Vasco tags and will run on Solaris (my platform of choice), and a Vasco evaluation kit to upgrade the security. This should only involve having saslauthd talk to Radius via PAM, but my experience of incorporating SecureID into other systems is that there are many little places where things go wrong. Has anyone done anything similar? ian ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
