On Mon, 9 Dec 2002, Kevin M. Myer wrote: > Hi, > > With the recent Cyrus IMAP buffer overflow exploit, its time to upgrade our mail > server. I've been sitting on a Cyrus IMAP 2.1.X CVS install from right before > the SASL2 requirement went into effect and have been holding off on upgrading > until I can figure out a decent path to go from SASL1 -> SASL2 and still keep > LDAP authentication working. Currently, I'm using Simon's LDAP authentication > patch for SASLv1. I have four different domains, all being served out of > different trees on the same directory server. With sasl_auto_transition turned > on, CRAM-MD5 and DIGEST-MD5 authentication works after an initial plaintext > login (done at account setup on a local network). Since saslauthd only supports > plaintext passwords for LDAP authentication, I'm thinking that if I trade the > stronger SASL authentication off for requiring TLS for the entire IMAP > conversation (via , I don't give anything up security-wise. In other words, I > can rely on the transport layer to provide encryption, instead of a higher layer > and that way email can't be sniffed either. > > So I upgraded to the latest versions of Cyrus SASL (2.1.10) and Cyrus IMAP > (2.1.11) today on my test server. I got saslauthd working fine with LDAP for > one Cyrus IMAP "virtual domain" (the altconfig type meaning I specify a full set > of services per domain, bound to a unique IP address and I have a unique > imapd.conf for each domain, I'm not talking about the newer virtual domain > support). What I still need to figure out is how to specify which saslauthd mux > socket for each domain's imap process to connect to. I know how to start > multiple saslauthd's and specify which socket for them to create but I need to > know how to specify in /etc/imapd.conf which of those sockets to connect to. I > can't seem to find that documented anywhere (probably because its only in this > special case scenario that you'd even need to use it :) > > Also, is it reasonable to think that most major IMAP clients could handle > talking to a server that only listens on imaps (basically my forcing of TLS idea > above)? I know my webmail client, IMP, can handle that but can most other > standalone clients handle imaps well and will they barf over self-signed > certificates? > > As always, if there's a simpler way to do this whole thing, I'd like to hear > about it. What I have now works extremely well, so I'm not inclined to change > it too much but I could be missing something very obvious too. I know there's > supposedly an OpenLDAP 2.X internal auxprop plugin in the works but that won't > help me too much since our directory server is iPlanet DS. Maybe its time to > bite the bullet and migrate directory server platforms too... >
OpenLDAP internal auxprop plugin works for OpenLDAP only. You will need to build your own or try a few plugins available on the web. One is available in the contrib directory of the latest OpenLDAP tarball. -- Igor