On 10/03/12 10:51 -0400, Brian Chase wrote: >This may be a question more geared toward the developers of Cyrus, but I >figured I'd start with this list. > >Some background information & context: > >I work at an organization with a Cyrus Murder cluster that contains several >hundred thousand mail accounts. We're beginning the process of migrating >these accounts to Google's Gmail. (No fault of Cyrus' as a product, but >we've decided as an organization that we don't want to be supporting all >those users and maintaining over 10TB of imap data stores. That said, >Cyrus works quite well at that scale.) > >Anyway, so the consulting company we're working with to help us with the >migration is using Google's GAMME tool. It's a mail migration tool that >works with Exchange and IMAP servers to pull the data out of the old mail >servers and into Google's servers. It's a pretty limited program, and >unfortunately, for it's IMAP support is more limited than we'd like. The >GAMME tool takes simple lists of users, in a formatted text file, and uses >that information to login as each user on the IMAP server and then copy all >their mail onto the Google server. The problem with that is it needs the >plain-text passwords for all the existing users to be able to log into the >IMAP server. Page 25 of the Administrator's Guide points to a solution using an administrative password, rather than specifying the user's password, such as: adminuser#adminpassword, cyrususer1 This may work if you specify a proxyservers user on your frontend (adminuser). >Now, like any sane organization, we don't keep track of our users' >passwords in plain-text, so we can't generate these user lists that GAMME >wants. And we also are unwilling to say, reset over a half a million user >account passwords with ones we would then know. How are you planning to transfer the passwords to gmail? Consider enabling 'auto_transition: true' within /etc/imapd.conf, on each of your frontends, which would store the cleartext password of each user the next time the login, into /etc/sasldb2. >What I'm thinking of doing: > >To get around this problem what I would like to do is to setup a custom >Cyrus front-end server. The front end server would be isolated on our >network and only be able to talk to the other relevant Cyrus servers and to >the systems we have running the GAMME tool. For the custom front-end >server I think it should be possible to modify the source code that handles >the authorization to bypass the normal process. I want the customized >server to allow connections to the individual accounts on the back end data >store servers using either a specific hard coded password or to just allow >authentication with any password. Is something that would work given the >Cyrus Murder architecture, and if so, which source code files for Cyrus >contain the relevant authorization routine(s) that would need to be changed? On such a frontend, or on an existing frontend listening on a protected IP, you could bypass authentication with 'pwcheck_method: alwaystrue' (if your libsasl2 was compiled with --enable-alwaystrue). In /etc/cyrus.conf: gammeimap cmd="imapd" listen="10.0.0.5:imap" prefork=0 maxchild=100 and in /etc/imapd.conf: gammeimap_sasl_pwcheck_method: alwaystrue -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
