Hi, Ian G Batten wrote: > The Cyrus server I run for my employer is sat on our internal > network, and remote users access either the IMAP port or the > associated Squirrelmail instance via our VPN. They come in via a > Cisco IPSec VPN server, secured with SecureID. > > My private Cyrus server, which sits in borrowed space in someone > else's datacentre, doesn't have such luxuries. The IMAP port is > openly available, and there is a Squirrelmail server that will allow > anyone to attempt to log in. All the IMAP clients that access it use > STARTTLS and/or one of the MD5 authentication styles, the > Squirrelmail server only operates over https and the passwords are > generated with /dev/random, so I've not got too much to worry about. > But the datacentre is a University CS department where I do some > lecturing, so all sorts of things could happen. > > I'm considering using the Radiator product, which directly supports > Vasco tags and will run on Solaris (my platform of choice), and a > Vasco evaluation kit to upgrade the security. This should only > involve having saslauthd talk to Radius via PAM, but my experience of > incorporating SecureID into other systems is that there are many > little places where things go wrong. Has anyone done anything similar? We have our Cyrus authenticate to saslauthd via pam_radius to a Radiator server, so that works. We're also using Radiator with Vasco tokens (on Linux), and that works too. But I don't think it will be very easy to combine the two: the Vasco tokens provide you with one-time passwords, and for IMAP access, you'll have more then just one connection. My Thunderbird client already makes a new connection for each folder I open, squirrelmail isn't much better. (Only thing is that you could cache the "one time" password in Radiator, but you'll end up having different problems if you open more then one client.) We use these Vasco tokens actually for administrators, authenticating for SSH and so forth. The other use case is our single-signon environment. There you might have more luck, as you login just once, and get some kind of cookie and session variables as prove that you logged in. As soon as you can use that within squirrelmail - that would be fine. We didn't do that yet; although I do think it should be possible: check whether the user is logged in, and use the cyrus admin user to authorize as the real user. I never had the time to play with that. The non-admin users also have the option of authenticating to the SSO system using PKI certificates; and actually that is also my last suggestion: we don't just use that for our web environment, but also for e-mail! There is actually an SSL proxy based on stunnel in front of our Cyrus setup that enforces the client certificates on imaps. Cyrus could do this as well, with tls_require_cert set to 1, but we have stunnel as some extra paranoidity I guess (and/or historic). Perhaps certificates can be of use? (You could easily create them with TinyCA or something.) Only issue we have is with "nomadic use": if you end up at an internet cafe, it's still better to use a one-time-password token then install your certificate locally. (And that is why we also have that as an option for the SSO system - but then I still have to login using username/password afterwards in our case - not very SSO.) But people rarely use webmail here, and TB works just fine with client-certificates. (Otherwise you could use stunnel on the client side...) Regards, Paul P.S. If you want to have more similarities with your employers setup: you could also run a VPN (for instance OpenVPN) with token based authentication. Something else I still want to try, although we're doing this with our certificates too - I'm quite sure it is possible to hook it up to pam for instance. ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
