Hi, With the recent Cyrus IMAP buffer overflow exploit, its time to upgrade our mail server. I've been sitting on a Cyrus IMAP 2.1.X CVS install from right before the SASL2 requirement went into effect and have been holding off on upgrading until I can figure out a decent path to go from SASL1 -> SASL2 and still keep LDAP authentication working. Currently, I'm using Simon's LDAP authentication patch for SASLv1. I have four different domains, all being served out of different trees on the same directory server. With sasl_auto_transition turned on, CRAM-MD5 and DIGEST-MD5 authentication works after an initial plaintext login (done at account setup on a local network). Since saslauthd only supports plaintext passwords for LDAP authentication, I'm thinking that if I trade the stronger SASL authentication off for requiring TLS for the entire IMAP conversation (via , I don't give anything up security-wise. In other words, I can rely on the transport layer to provide encryption, instead of a higher layer and that way email can't be sniffed either.
So I upgraded to the latest versions of Cyrus SASL (2.1.10) and Cyrus IMAP (2.1.11) today on my test server. I got saslauthd working fine with LDAP for one Cyrus IMAP "virtual domain" (the altconfig type meaning I specify a full set of services per domain, bound to a unique IP address and I have a unique imapd.conf for each domain, I'm not talking about the newer virtual domain support). What I still need to figure out is how to specify which saslauthd mux socket for each domain's imap process to connect to. I know how to start multiple saslauthd's and specify which socket for them to create but I need to know how to specify in /etc/imapd.conf which of those sockets to connect to. I can't seem to find that documented anywhere (probably because its only in this special case scenario that you'd even need to use it :) Also, is it reasonable to think that most major IMAP clients could handle talking to a server that only listens on imaps (basically my forcing of TLS idea above)? I know my webmail client, IMP, can handle that but can most other standalone clients handle imaps well and will they barf over self-signed certificates? As always, if there's a simpler way to do this whole thing, I'd like to hear about it. What I have now works extremely well, so I'm not inclined to change it too much but I could be missing something very obvious too. I know there's supposedly an OpenLDAP 2.X internal auxprop plugin in the works but that won't help me too much since our directory server is iPlanet DS. Maybe its time to bite the bullet and migrate directory server platforms too... Thanks, Kevin -- Kevin M. Myer Systems Administrator Lancaster-Lebanon Intermediate Unit 13 (717) 560-6140
