This might be obvious to everyone, but I thought I'd post it anyway.
I wanted to allow encrypted imap connections from everywhere, but
unencrypted sessions only from my internal network. TCP Wrappers seemed
an obvious solution, but since the current Cyrus code sets the daemon name
to check to the name of the executable running, it wouldn't work out of
the box, as the difference between the two is in the form of a flag, not
the executable name. (That is, "imapd" vs. "imapd -s".)
I thought about changing the code to set the name to something separate,
but then I realized that I could just change the executable name in
/etc/cyrus.conf and in /etc/hosts.allow and .deny and create a link from
the new name to the original executable. So now my files look like this
(edited heavily, of course):
--- BEGIN /etc/cyrus.conf ---
SERVICES {
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapsd -s" listen="imaps" prefork=0
}
--- END /etc/cyrus.conf ---
--- BEGIN ls -l /usr/cyrus/bin ---
-rwxr-xr-x 1 bin bin 2104798 Feb 8 17:47 imapd
lrwxr-xr-x 1 bin bin 5 Feb 13 14:37 imapsd -> imapd
--- BEGIN ls -l /usr/cyrus/bin ---
--- BEGIN /etc/hosts.allow ---
imapd: 172.16.0.0/255.255.255.128 172.16.0.128/255.255.255.128
imapsd: ALL
--- END /etc/hosts.allow ---
--- BEGIN /etc/hosts.deny ---
imapd: ALL
--- END /etc/hosts.deny ---
Note that imapsd doesn't really need to be listed because the default is
to allow.
Hope that helps someone out.
-Bitt