Different backend authentications for Cyrus IMAP
Hi: For personal reasons I'm planning to migrate a Zimbra installation to a Postfix+Cyrus IMAP based schema. My Zimbra server has two domains: domain1.com and domain2.com. Users from domain1.com authenticate via Active Directory and domain2.com authenticate via Zimbra (using its own OpenLDAP server). As you know Zimbra has its own POP/IMAP server embedded with a custom version of saslauthd. Now I have to keep the same double authentication schema when migrate to Cyrus IMAP so the question is: How could configure Cyrus IMAP to authenticate users from one domain (domain1.com) to a backend A (Active Directory) and users from other domain (domain2.com) to a backend B (OpenLDAP, MySQL, PAM, etc)? Is it possible? Any ideas? I hope someone can help me with some ideas. Thanks Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: Different backend authentications for Cyrus IMAP
Thanks, I'm going to try this and then read about that openldap's thread.
On Tue, Dec 7, 2010 at 4:33 PM, Dan White dwh...@olp.net wrote:
On 07/12/10 12:49 -0500, Jason Voorhees wrote:
Hi:
For personal reasons I'm planning to migrate a Zimbra installation to
a Postfix+Cyrus IMAP based schema. My Zimbra server has two domains:
domain1.com and domain2.com. Users from domain1.com authenticate via
Active Directory and domain2.com authenticate via Zimbra (using its
own OpenLDAP server).
As you know Zimbra has its own POP/IMAP server embedded with a custom
version of saslauthd. Now I have to keep the same double
authentication schema
when migrate to Cyrus IMAP so the question is: How could configure
Cyrus IMAP to authenticate users from one domain (domain1.com) to a
backend A (Active Directory) and users from other domain (domain2.com)
to a backend B (OpenLDAP, MySQL, PAM, etc)? Is it possible? Any ideas?
One approach would be to run multiple instances of imapd, each pointing to
its own configuration file, or customized SASL configuration within the
primary imapd.conf file.
Given the following entries in /etc/cyrus.conf:
SERVICES {
imapdom1 cmd=imapd listen=imap.domain1.com:imap prefork=0
imapdom2 cmd=imapd listen=imap.domain2.com:imap prefork=0
...
}
Your imapd.conf could contain:
imapdom1_sasl_pwcheck_method: saslauthd
imapdom1_sasl_saslauthd_path: /path/to/zimbra's/custom/daemon/mux
imapdom2_sasl_pwcheck_method: saslauthd
imapdom2_sasl_saslauthd_path: /path/to/second/instance/of/saslauthd/mux
Which would require that your users connect to two different IP addresses
(imap.domain1.com and imap.domain2.com), and you'd need to run two
instances of saslauthd, but your second instance of saslauthd could
authenticate a number of different ways. On the downside, this approach
would require some creative configuration of postfix, if you users
authenticate to it.
If both domains can authenticate via LDAP (or Kerberos), you might check
out a recent thread on the OpenLDAP-technical list titled 'Pass-Through
authentication', which discusses a couple of alternatives.
--
Dan White
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: How to copy messages between mailboxes?
On Wed, Feb 25, 2009 at 6:16 PM, Bron Gondwana br...@fastmail.fm wrote: On Wed, Feb 25, 2009 at 05:45:25PM -0500, Jason Voorhees wrote: Hi people: I'm trying to create a script to copy certain messages from a mailbox of user A to mailbox of user B. These are the steps I have in mind: Wrong steps. That's not a good way to do it. Well, I just based on the example shown in the cyrus documentation. It says that a message file recently copied it will no be visible until reconstruct command is executed. # mkdir /var/spool/imap/a/user/B/Recent # cd /var/spool/imap/a/user/A # cp 234. 235. 236. Drafts/12* /var/spool/imap/a/user/B/Recent # chown -R cyrus:mail /var/spool/imap/a/user/B/Recent # su cyrus -c '/usr/lib/cyrus-imapd/reconstruct -r user/B' Use IMAP. a) Connect as an admin (with permissions on both user.A and user.B) b) CREATE user.B.Recent c) SELECT user.A d) UID COPY 234,235,236 user.B.Recent e) SELECT user.A.Drafts f) UID COPY 12:* user.B.Recent Much cleaner, and you get all the locking goodness of doing it the RIGHT way. An alternative to being admin is just adding read ACLs for user B on user A's folders (as user A), then logging in as user B and doing these steps. You can use any IMAP client library. We use Perl Mail::ImapTalk, but whatever language you're familiar with is fine. Bron. Unfortunately, I know almost nothing about programming :( It doesn't seem a good idea to learn programming now just to solve this little issue. Anyway I know that programming is necessary to me so I'll learn as soon as I have enough free time. Thanks anyway people, I'll read about Perl::ImapTalk Bye Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
How to copy messages between mailboxes?
Hi people: I'm trying to create a script to copy certain messages from a mailbox of user A to mailbox of user B. These are the steps I have in mind: 1. Select what messages to copy from mailbox of user A. They can message files located at different folders within its mailbox. 2. Choose where to copy messages in mailbox of user B. 3. Make the copy with cp and assign appropiate perms. 4. Reconstruct the mailbox of user B These would be the commands: # mkdir /var/spool/imap/a/user/B/Recent # cd /var/spool/imap/a/user/A # cp 234. 235. 236. Drafts/12* /var/spool/imap/a/user/B/Recent # chown -R cyrus:mail /var/spool/imap/a/user/B/Recent # su cyrus -c '/usr/lib/cyrus-imapd/reconstruct -r user/B' I thought this it would be enough, but I know I'm missing some things: 1. What name should I assign to message files being copied from A to B? I know that their name is equal to its UID. So, what's the value of the major UID? Does every folder mantain its own UID sequence? 2. There are no cyrus.header, cyrus.index nor cyrus.cache files at /var/spool/imap/a/user/B/Recent because I just created that directory. So... I don't need to copy those files from A because reconstruct will create them... is this right? I know my English isn't very good yet to explain my question correctly, but I hope someone can understands me to help me a bit with this. Thanks, bye Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 IMAP protocols
On Thu, Feb 12, 2009 at 5:49 PM, Jason Voorhees jvoorhe...@gmail.com wrote: Hi people: A friend of mine is asking me about security risks of using IMAP POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 IMAP security but I'm not pretty sure about comments I can found in forums or other sites. Does anybody here know anything about security risk of these protocols? Is it true that one of them is less secure than the other one? Thanks, bye Thanks everyone for your replies, they were good answers with different points of view. Actually, I made a mistake writing my post: My friend told me that the sales person believes that POP3 has security problems and is vulnerable so recommends IMAP as a replacement of use at final users. Anyway, it doesn't matter what the sales person really said because I can see now that the argument of using one protocol instead the other one depends much of the context. The POP3/IMAP server (now running Zimbra) is running at my friend's office with all his users using POP3. I will migrate its mailserver to Cyrus + MTA+other components...and they plan to use IMAP now. I will explain him every point of view that you shared with me. Thanks again :) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Security risk of POP3 IMAP protocols
Hi people: A friend of mine is asking me about security risks of using IMAP POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 IMAP security but I'm not pretty sure about comments I can found in forums or other sites. Does anybody here know anything about security risk of these protocols? Is it true that one of them is less secure than the other one? Thanks, bye Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Considerations to migrate cyrus mailboxes
Hi people: I'm running a CentOS 5 box with Cyrus IMAP 2.3.7. All mailboxes belong to a unique domain (no virtdomains setting) and also are using the unix hierarchy convention. Now I'm planning to migrate the mailserver to a virtual machine under OpenVZ and I want to migrate all mailbox data from the old server to the new one. But the new server -also running Cyrus and the same version- will be configured with virtdomains support, and the 'defaultdomain' will be different to the domain where I pretend to move old mailboxes. What considerations or steps must I follow? How can I convert old mailboxes (with no virtdomains support) to the new ones (with virtdomains support)? Will I need to copy all files from the Cyrus config directory and partition directory? I know that this task it could be done using imapsync between both imap servers... but.. is there any better option than this? I hope someone can help me a bit, thanks, bye :) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Basic question
That was perfect, Thank you very much Dan! Now I know what configuration is appropiate for me. Bytes! Dan White escribió: Jason Voorhees wrote: Hi there: I'm planning to use Cyrus IMAP and OpenLDAP to authenticate users. Long time ago I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with pam module. It was something simple. Then I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with ldap module and /etc/saslauthd.conf without problems. That's fine. Now I would like to use Cyrus IMAP with OpenLDAP too, but I found that there are at least 2 ways: 1. Use Cyrus SASL with auxprop to authenticate users trough LDAP using auxprop_plugin: ldapdb, sasl_ldap_servers among other sasl_* directives. Right? 2. The other way is to use ldap_* directives like ldap_uri, ldap_filter among others. But I believe that I would need to use 'pts' module in auth_mech directive, right? The question is: What are pts, unix, krb and krb5 modules used for? What's the difference between them? Should I use pts module to make Cyrus talk directly to OpenLDAP...? Or should I use Cyrus SASL with auxprop plugin to make the authentication to OpenLDAP? Is there a place where I can get some clear information about these items? Man pages are not too clear :S Thanks people :) Jason, Available documentation that I'm aware of includes: /doc/options.html (within the cyrus-sasl source) which documents how to configure the ldapdb auxprop plugin /saslauthd/LDAP_SASLAUTHD (within the cyrus-sasl source) which discusses how to configure the ldap saslauthd backend /doc/overview.html (within the cyrus-imap source), in the 'Kerberos vs. Unix Authorization' section, which discusses authorization. As I understand it, the ldapdb auxprop plugin is entirely within the realm of cyrus sasl (authentication), and the auth_mech directive in imapd.conf is cyrus imapd specific, and only handles authorization. The auth_mech options (pts, unix, krb and krb5) direct how cyrus imapd authorizes users to access mailboxes/resources *after* they have been authenticated. The kerberos options direct imapd to perform some canonicalization of the authenticating user before opening their mailbox - so if a user connects as jsm...@example.com, the kerberos options could canonicalize that to 'jsmith', so that the server can open the 'jsmith' mailbox instead of searching for a 'jsm...@example.com' mailbox. The unix and pts options should only come in to play if you have specified a 'group:staff' style ACL for your mailboxes. It tells the imapd server how to resolve group membership to grant access to the mailbox. The 'unix' option will perform a unix getgrent call, or something like that, to determine if a user belongs to a group - using nss for instance, which in turn can use the nss-ldap or nss-mysql modules to lookup groups. However, that's pretty slow in my experience and you'd need to make sure you're properly optimizing your LDAP database. The pts route can be used to reference and LDAP server directly to resolve group membership within an LDAP database. - Dan Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Basic question
Hi there: I'm planning to use Cyrus IMAP and OpenLDAP to authenticate users. Long time ago I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with pam module. It was something simple. Then I used to configure Cyrus IMAP + Cyrus SASL using saslauthd with ldap module and /etc/saslauthd.conf without problems. That's fine. Now I would like to use Cyrus IMAP with OpenLDAP too, but I found that there are at least 2 ways: 1. Use Cyrus SASL with auxprop to authenticate users trough LDAP using auxprop_plugin: ldapdb, sasl_ldap_servers among other sasl_* directives. Right? 2. The other way is to use ldap_* directives like ldap_uri, ldap_filter among others. But I believe that I would need to use 'pts' module in auth_mech directive, right? The question is: What are pts, unix, krb and krb5 modules used for? What's the difference between them? Should I use pts module to make Cyrus talk directly to OpenLDAP...? Or should I use Cyrus SASL with auxprop plugin to make the authentication to OpenLDAP? Is there a place where I can get some clear information about these items? Man pages are not too clear :S Thanks people :) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
IMAP account used for multiple users
Hi all: A simple question: Is there any kind of problem if a unique IMAP account is used by more than one client at the same time? I'm thinking to give access to all my users (up to 90 users) trough MS Outlook to a unique IMAP account. I don't plan to use suscribed folders instead for simplicity reasons. Thanks, bytes! Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: suggestion need to design an email system.
Hi: Some months ago I was using Courier+Postfix+OpenLDAP+Phamm (http://www.phamm.org). I'm not developer but I understood a little of phamm's code to realize that it would not be difficult to use it with Cyrus. I'm planning to use Phamm again but this time with Cyrus. First I need to know how to execute cyrus tasks without cyradm (creating mailboxes, setting/changing quota, remove mailboxes, etc). I was thinking about cyradm + expect but it's just an idea by now. Bytes! J. Bakshi escribió: Dear list, I have a running email system which I made in 2006 based on postfix+cyrus+openldap. The authentication is based on openldap. I have done some reading through net and find a new mail server dovecot. I have to create another email system for multidomain based hosting server where both scalability as well as performance should be in prime consideration. I need your kind suggestion for this. shall I use dovecot or cyrus can fit my requirement ? another important questing ; Is there any webinterface which can manage the mail system based on LDAP ? There are many with MySql but any application which can work with postfix+cyrus+openldap ? thanks Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
