Paul Boven wrote:
Hi Christos, everyone,Well, I do not want to have a flame on this matter. Besides, it is beyond this thread what security is. To me your proposal is not about security, it is about content encryption. Encryption is just one aspect of security.
Security is a very important thing. And security to me means encryption, not only of the authentication phase but of the whole session. Now with HTTPS I know you loose the ability to support virtual domains, because the TLS session must be setup before the requested URL is transferred. This means you can only have one hostname per IP-adres as soon as you use SSL. Wouldn't you run into the same problem when enabling virtual domain support on cyrus?
I've deployed several single domain cyrus servers, but am working on my first multidomain one, with Squirrelmail via SSL on top. So the way things look now is that the machine will have only one hostname, imap.example.com, and that everyone logs in with their complete email-address as the fully qualified username, either with imaps or via https and squirrelmail.I totally agree with you. The ability to append the domain to the user id is already implemented. What I suggest is just another option, which suits my needs and I think that there will be others which will find it useful in the future.
In short: I think we should keep the ability to allow users to provide fully qualified usernames.
Regards, Paul Boven.
-- Christos Soulios (soulbros_at_noc.uoa.gr)
Microsoft is not the answer. Microsoft is the question. No is the answer.
