"Steve Moyes" wrote: > On Fri, 2007-10-12 at 12:44 -0700, Paul Lesniewski wrote: >> Please do NOT top post, thank you. > > Sorry.. wasn't watching what I was doing. > >>>>> Hi thanx for the reply. It's not the shell access I'm bothered >>>>> about.. allow me to explain further. What I was thinking is, the >>>>> frontend squirrelmail is just that, nothing else. It will be just >>>>> a webserver, serving that page. There will be no user accounts on >>>>> there what so ever. I was thinking about having virtual user >>>>> accounts that log into the frontend and this somehow logs into the >>>>> actual mail server (located elsewhere) with the actual user >>>>> accounts on that server. Now is PAM some kind of solution? and >>>>> if so, how would I get squirrelmail to talk to PAM on another >>>>> server? If you need anymore info, please tell me what you need. >>>> >>>> It is possible to seperate web server and mail server on different >>>> hosts, but squirrelmail uses imap authentication (from the mail >>>> server) to log the user in, it has no user database on its own. Do >>>> you really need different users/passwords on your squirrelmail >>>> server? >>> >>> yes.. separate credentials are one of the things that has >>> specifically been requested. >> >> Separate from exactly what? Not meaning to offend, but my guess is >> that you may not understand the concept of how SM authenticates and/or >> what a "mail account" is. SM can care less about what kind of account >> the user has; SM merely takes the credentials you give it and uses them >> to ask the IMAP server if the user is authenticated or not. That's it. >> There is only one set of credentials. The fact that SM >> asks the IMAP server means that you can put SM and the IMAP server in two >> completely different hemispheres and it does not matter. The user >> credentials would still be the SAME, not "separate". > > OK.. this is the deal. I've been asked to provide a front end to our > email system. So.. I have the mail server which has unix user accounts > with Maildir. And I have a separate box which will be the SM server > viewable to the internet. It has been requested that NO users have access > to their actual login details and that the mail server remains on the > internal network only for security precautions. I'm not sure what you're trying to achieve. Do you want the users not to know their user name and password, or do you want the users not to know the address and port used by the internal web server? Obviously the users have to know their user name, since that's the part left of the "@" in the mail address when you're not using virtual mail accounts. If you don't want your users to know their password you have to create some custom login page which will take the credentials provided by the users (user name and "open" password) and translate (map) the "open" password to the "closed" password before sending the credentials to the IMAP server through SquirrelMail. This requires some coding on your behalf, and is an overly complicated system and is most likely not any safer (you'd have to make the mapping available to the web server for instance). A much more easy way to go is to make sure that no users can't connect to the mail server (and the web server) trough SSH and telnet by disabling it for them altogether (or at least when accessing the server from outside the internal network). You might also want to disable IMAP access from all servers but your web server, thus disallowing the users the possibility to use any other IMAP client. The configuration used by SquirrelMail to access the IMAP server (address, port, and such) isn't publicly available if you follow the instructions in the documentation, i.e. doesn't put it in a map which is readable by the World. If you don't want the users to send their credentials in plain text between their browser and the web server, use HTTPS instead of HTTP. >>> I have everything ready to go, it's just this >>> authentication issue I have. >> >> As has been suggested, Login Manager (vlogin) can help you remap >> usernames, but I can't see any reason why you'd want to create such a >> convoluted system. Because users are "logging in" to SM on the web >> server does not mean that they have ANY access to the web server at all. > > Hmmm... not sounding good then.. oh well.. back to the drawing board I > guess. Thanks for the input. > >>>>>>> I've spent a few hours searching this before I posted, but if >>>>>>> I have >>>>>>> missed something, please feel free to flame me. Anyway.. to the >>>>>>> point. Both of these servers are running Debian. The main >>>>>>> mail server is running Exim4 and Dovecot and the frontend is >>>>>>> running Squirrelmail (who'da thunk it). What I am trying to >>>>>>> do now is have one set of credentials on the frontend that the >>>>>>> user obviously needs to know and for those details to access >>>>>>> the actual credentials on >>>>>>> the mail server itself, which the user doesn't need to know. >>>>>>> Has anyone ever done this and what is involved? >>>>>> >>>>>> If you want to use user accounts that don't have shell access >>>>>> on server, see >>>>>> http://www.google.com/search?q=exim+dovecot+virtual+users Sincerely, Fredrik ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
