I have attached 2 patches that you are looking for that I use in my
install. It removes the restriction for PLAIN from the frontends to the
backends.
Ken Murchison wrote:
Ramya Krishnan wrote:
Michael Loftis wrote:
-nodes IIRC
--On December 15, 2005 12:43:53 PM +0530 Ramya Krishnan
<[EMAIL PROTECTED]> wrote:
Ken Murchison wrote:
Because the frontends proxy as the user to the backend, the IMAP LOGIN
command can not be used. The only plaintext SASL mechanism that can be
used is PLAIN, but you can't use it unless protected by TLS.
Looking at
the CAPABILITY output above, it doesn't look like you've configured
TLS.
You might also be able to fake this by running imapd on the backends
with
the '-p 2' option.
1. I have 2 backend servers and one proxy-cum/mupdate server. The
password comes as clear text over the network (unsafe) to proxy. Then I
am forced to use TLS between the backend and frontend servers... This
network is safe and i dun want the overhead of ssl... Is there a way to
overcome this
Do I have to use TLS for communication between the front-end and
backend servers??
You have to use a SASL mechanism which allows proxy authentication
(PLAIN, DIGEST-MD5, KERBEROS).
How can your frontend/backend network be considered safe, when you have
to allow clients to be able to access backends directly (for referrals)?
--- cyrus-imapd-2.1.11/imap/imapd.c Mon Nov 18 10:50:15 2002
+++ cyrus-imapd-2.1.11/imap/imapd.c-hacked Wed Jan 22 13:13:48 2003
@@ -638,7 +638,8 @@
}
/* never allow plaintext, since IMAP has the LOGIN command */
- secprops = mysasl_secprops(SASL_SEC_NOPLAINTEXT);
+ /* secprops = mysasl_secprops(SASL_SEC_NOPLAINTEXT); */
+ secprops = mysasl_secprops(0);
sasl_setprop(imapd_saslconn, SASL_SEC_PROPS, secprops);
sasl_setprop(imapd_saslconn, SASL_SSF_EXTERNAL, &extprops_ssf);
*** cyrus-imapd-2.1.11/imap/pop3d.c Tue Nov 12 11:43:22 2002
--- cyrus-imapd-2.1.11-hacked/imap/pop3d.c Wed Jan 29 14:50:08 2003
***************
*** 416,422 ****
fatal("SASL failed initializing: sasl_server_new()",EC_TEMPFAIL);
/* will always return something valid */
! secprops = mysasl_secprops(SASL_SEC_NOPLAINTEXT);
sasl_setprop(popd_saslconn, SASL_SEC_PROPS, secprops);
if(iptostring((struct sockaddr *)&popd_localaddr,
--- 416,422 ----
fatal("SASL failed initializing: sasl_server_new()",EC_TEMPFAIL);
/* will always return something valid */
! secprops = mysasl_secprops(0);
sasl_setprop(popd_saslconn, SASL_SEC_PROPS, secprops);
if(iptostring((struct sockaddr *)&popd_localaddr,
----
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
