On 11 Jun 2003, Mark London writes: > I would like to restrict Cyrus to only allow users to use IMAPS, not > plain IMAP. However, I was told that would break Squirrelmail, > unless I opened access to IMAP (port 143) for the node that > Squirrelmail was running on.
Iptables would probably be the most common way to achieve this sort of restriction. > But I'm running XINETD on Redhat, and I've read Cyrus doesn't use > that. I would need another TCP wrapper program ... Not really, as others have said already. Either configure cyrus to use tcp-wrappers, or use iptables to restrict the data flow instead of a wrapper. > ..., or is there an easier way to do it? You could set up Cyrus to only allow IMAPS access, and then use stunnel on the squirrelmail machine to do the SSL/TLS tunneling for it. That way, no 'special' permissions would be needed on the cyrus server at all, from the cyrus perspective squirrelmail would use IMAPS just like other IMAPS clients. How this would impact performance (many SSL tunnels being created, when squirrelmail gets busy) is something you'd need to think about. Overall, which way (iptables, compiling cyrus to use a wrapper, or stunnel) is 'easier' depends on what software you are comfortable with... Which way is more secure against whatever threats you believe exist is probably a useful question to ask yourself, too (or else why bother with IMAPS at all!). If the Squirrelmail to Cyrus traffic can be sniffed by 'the bad guys', then IMO you need something to protect the accountname/password information and the email itself from such snooping, so stunnel on the Squirrelmail box (and 100% IMAPS only on the Cyrus server) might be appropriate. Jonathan -- Jonathan Marsden | Internet: [EMAIL PROTECTED] | Making electronic 1252 Judson Street | Phone: +1 (909) 795-3877 | communications work Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian USA | http://www.xc.org/jonathan | missions worldwide
