So, to summarize, we will have two Cyrus IMAP servers, one Public, one Private. Most employee access will be from the internal, office LAN, but with occasional access from the internet (home, vacation, etc), so the Mailboxes on both servers must be kept in sync. Short delays (up to a few minutes) in the sync process are acceptable.
Have you thought of implementing something simpler and more standard?
Many organizations are solving this problem by using single IMAP server on internal LAN, and webmail host in DMZ (that connects to internal IMAP server, either directly, or more often through some kind of IMAP proxy). When outside of the office, employees can access their mail using webmail interface. When inside the office, they can access it using regular IMAP client. Actually, I have couple of users that like webmail interface so much, they are using it even when they are in the office. Horde/IMP is very nice and usable webmail interface. Squirrel Mail is another one. I kind of preffer IMP, but that's only my preference.
The webmail solution is very good if you don't trust (outside) client machines. For example, you are concerned about employees home machines getting infected by viruses/worms/trojans. All they can directly connect to is web server in DMZ on which webmail application is installed. There's no company data stored on that machine.
Second solution would be setting VPN (for example using IPSec). That way, direct access to internal server from outside is not possible. You place VPN server in DMZ, and allow access only for clients connected to VPN server (all of them will have encyrpted IPSec tunnel from their home machines to your DMZ).
VPN solution could work very nicely. From security standpoint, just a notch bellow webmail solution. Since you will have firewall between VPN machine in DMZ and internal network, you have fine control of what can be accessed. If employees have properly closed-down company laptops on which they are not able to install any software, with BIOS passwords preventing them to reinstall machine, and with good AV software installed, this can also be very secure, and they can use standard IMAP clients. You might allow opt to allow them only access to IMAP proxy somewhere in DMZ, instead direct connection to internal IMAP server.
Another solution might be installing IMAP proxy in DMZ. I'd call it least secure of the bunch.
Last option, if you really want to go with two separate servers, is to use program such as imapsync. It will sync mailboxes between two IMAP servers. However, it works only one-way. So you sync for example from inside to out. If user marks email as read on outside email server, it'll get overriden on next sync. This is because there is no data that says when the flags for the message were changed. Also, if mailboxes contain huge number of emails, it can get very very slow.
-- Aleksandar Milivojevic <[EMAIL PROTECTED]> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
