Loading ...
Sorry, an error occurred while loading the content.

Re: OT - MDA and User Authentication

Expand Messages
  • Jorey Bump
    ... The authentication method you use will be limited by what your IMAP/POP server supports. Have you chosen one, yet? There is certainly no issue with using
    Message 1 of 11 , Jun 30, 2006
    • 0 Attachment
      Eric wrote:

      > My understanding is that using local user accounts can present a
      > security issue vs. having accounts seperate from the local box. Yes I
      > agree, I don't want an overly complicated authentication mechanism that
      > make more work, but security is a big priority. I also read about
      > someone using authuserdb which seems rather simple but I am not very
      > familiar with the interworkings of all the authentication types out
      > there.

      The authentication method you use will be limited by what your IMAP/POP
      server supports. Have you chosen one, yet?

      There is certainly no issue with using /etc/passwd for sytems that have
      less than 100 users, as long as you enforce encrypted logins
      (PLAIN/LOGIN over STARTTLS, for example) and assign a useless shell to
      mail users (/bin/false, for example).

      Another important factor to consider is the authentication method used
      by the MTA (postfix). I prefer to use cyrus-sasl, so limit my choice to
      IMAP/POP servers that support it. This isn't always that important, as
      long as they provide a way to access the same password database (or
      /etc/shadow in a simple setup).

      Everyone has their favorites, but I think it's safe to say that *ALL*
      IMAP servers SUCK (for one reason or another), and so do most POP3
      servers, but they tend to be simpler to deploy due to their limited
      functionality. I use Cyrus-imapd because it's a little easier for end
      users to configure, provides concurrent read/write access to mailboxes,
      and doesn't expose the filesystem. It's fairly complex and not as easy
      to back up as other solutions, however. Whatever you choose, it will be
      a commitment, because you will also be choosing a backend storage
      paradigm from several incompatible options that make it a challenge to
      switch to something else in the future.
    • Greg Woods
      ... If you are using cyrus-sasl, you can also use any authentication method that PAM supports. That s what we do here, so that we can use our central
      Message 2 of 11 , Jun 30, 2006
      • 0 Attachment
        On Fri, 2006-06-30 at 12:00 -0400, Jorey Bump wrote:

        > Another important factor to consider is the authentication method used
        > by the MTA (postfix). I prefer to use cyrus-sasl, so limit my choice to
        > IMAP/POP servers that support it.

        If you are using cyrus-sasl, you can also use any authentication method
        that PAM supports. That's what we do here, so that we can use our
        central authentication server usernames and passwords for SMTP AUTH.
        saslauthd can be configured to authenticate via PAM modules, so you can
        use any authentication method that PAM modules exist for.

        --Greg
      • Eric
        Good points. Using the built-in user authentication of the box but giving users false shells would be much easier for a small mail server. Backups are an
        Message 3 of 11 , Jun 30, 2006
        • 0 Attachment
          Good points.

          Using the built-in user authentication of the box but giving users false
          shells would be much easier for a small mail server.

          Backups are an important point. What is the problem with backups with
          your referenced senario?

          Thanks,
          Eric

          > My understanding is that using local user accounts can present a
          > security issue vs. having accounts seperate from the local box. Yes I
          > agree, I don't want an overly complicated authentication mechanism that
          > make more work, but security is a big priority. I also read about
          > someone using authuserdb which seems rather simple but I am not very
          > familiar with the interworkings of all the authentication types out
          > there.

          The authentication method you use will be limited by what your IMAP/POP
          server supports. Have you chosen one, yet?

          There is certainly no issue with using /etc/passwd for sytems that have
          less than 100 users, as long as you enforce encrypted logins
          (PLAIN/LOGIN over STARTTLS, for example) and assign a useless shell to
          mail users (/bin/false, for example).

          Another important factor to consider is the authentication method used
          by the MTA (postfix). I prefer to use cyrus-sasl, so limit my choice to
          IMAP/POP servers that support it. This isn't always that important, as
          long as they provide a way to access the same password database (or
          /etc/shadow in a simple setup).

          Everyone has their favorites, but I think it's safe to say that *ALL*
          IMAP servers SUCK (for one reason or another), and so do most POP3
          servers, but they tend to be simpler to deploy due to their limited
          functionality. I use Cyrus-imapd because it's a little easier for end
          users to configure, provides concurrent read/write access to mailboxes,
          and doesn't expose the filesystem. It's fairly complex and not as easy
          to back up as other solutions, however. Whatever you choose, it will be
          a commitment, because you will also be choosing a backend storage
          paradigm from several incompatible options that make it a challenge to
          switch to something else in the future.
          --
          Eric Kahklen
          Lynnwood, WA
          206-595-2934
        • Sandy Drobic
          ... The trouble is Cyrus-specific. Cyrus uses a proprietary form of maildir with a database index, which can cause quite some trouble if the index is messed up
          Message 4 of 11 , Jun 30, 2006
          • 0 Attachment
            Eric wrote:
            > Good points.
            >
            > Using the built-in user authentication of the box but giving users false
            > shells would be much easier for a small mail server.
            >
            > Backups are an important point. What is the problem with backups with
            > your referenced senario?

            The trouble is Cyrus-specific. Cyrus uses a proprietary form of maildir
            with a database index, which can cause quite some trouble if the index is
            messed up or you reinstall with a different OS version. Most of the time
            the potential trouble isn't worth the niceties that Cyrus offers, at least
            not for small installations. I like the fulltext index that squatter
            offers and shared folder ACLs, but most of the time they aren't necessary.

            Sandy
          • Jorey Bump
            ... Cyrus doesn t use maildir, but it does store each message as a single file. While maildir also does this, its distinguishing feature is that it uses
            Message 5 of 11 , Jun 30, 2006
            • 0 Attachment
              Sandy Drobic wrote:
              > Eric wrote:
              >>
              >> Using the built-in user authentication of the box but giving users false
              >> shells would be much easier for a small mail server.
              >> Backups are an important point. What is the problem with backups with
              >> your referenced senario?
              >
              > The trouble is Cyrus-specific. Cyrus uses a proprietary form of maildir
              > with a database index, which can cause quite some trouble if the index
              > is messed up or you reinstall with a different OS version. Most of the
              > time the potential trouble isn't worth the niceties that Cyrus offers,
              > at least not for small installations. I like the fulltext index that
              > squatter offers and shared folder ACLs, but most of the time they aren't
              > necessary.

              Cyrus doesn't use maildir, but it does store each message as a single
              file. While maildir also does this, its distinguishing feature is that
              it uses special directories and filenames to reflect the message state,
              essentially using the filesystem as a database. This usually means that
              when copying a maildir structure to another filesystem, no state
              information about messages will be lost. That can be a big win for
              backups or when migrating mail to another maildir-based system.

              As Sandy points out, Cyrus uses index files to maintain state
              information. This is far more fragile, and it can be challenging to back
              up a mail spool and its corresponding index files without interrupting
              service to guarantee that they are in sync. It should probably be noted
              that you won't actually lose mail after a restoration, just information
              about the messages if the indexes are broken or incompatible with the
              destination system. If the indexes can't be rebuilt, I think that all
              messages will probably appear as new (I've never tried it). This is
              certainly annoying (compounded by the number of users), but not the end
              of the world.

              It's true that Cyrus is aimed at large user bases, but I've also used it
              in small installations where concurrent read/write access is important
              (webmail, or teams sharing an email account). Other IMAP servers also
              offer this capability using maildir (Courier, Dovecot, BincIMAP) or mbx
              (UW-IMAP).

              It's pretty easy to get an mbox-based IMAP server running with Dovecot
              or UW-IMAP, especially for a small user base. It's also fairly easy to
              back up and migrate mbox files. There are some serious drawbacks related
              to modern message sizes and security, though. I encourage you to look at
              more scalable options.
            • mouss
              ... This is ambiguous. afaik, cyrus stored many messages in a single file, but uses an index file to reach messagesmore quickly than if just using mbox
              Message 6 of 11 , Jul 2, 2006
              • 0 Attachment
                Jorey Bump wrote:
                > Cyrus doesn't use maildir, but it does store each message as a single
                > file.
                This is ambiguous. afaik, cyrus stored many messages in a single file,
                but uses an index file to "reach" messagesmore quickly than if just
                using mbox format.

                anyway, given OP's questions, he should go dovecot or courier.
              • Jorey Bump
                ... No, it stores each message as a single file. From the documentation: message files There is one file per message, containing the message in RFC 822 format.
                Message 7 of 11 , Jul 2, 2006
                • 0 Attachment
                  mouss wrote:
                  > Jorey Bump wrote:
                  >> Cyrus doesn't use maildir, but it does store each message as a single
                  >> file.
                  > This is ambiguous. afaik, cyrus stored many messages in a single file,
                  > but uses an index file to "reach" messagesmore quickly than if just
                  > using mbox format.

                  No, it stores each message as a single file. From the documentation:

                  message files
                  There is one file per message, containing the message in RFC 822
                  format. Lines in the message are separated by CRLF, not just LF.
                  The file name of each message is the message's UID followed by a
                  dot (.).

                  Since each file is a raw RFC 822 mail message, it relies on support
                  files to index and provide other information about messages and
                  mailboxes (the directories that contain messages).

                  Dovecot uses separate index files to enhance access to multiple messages
                  in single mbox files, as you describe.

                  > anyway, given OP's questions, he should go dovecot or courier.

                  Perhaps. His original question was simply a survey. Unfortunately, the
                  choices are few, they all have significant caveats, and all represent a
                  commitment that's difficult to reverse. Sadly, there is no true blackbox
                  solution for IMAP, even from a user's point of view.
                • Devdas Bhagat
                  ... Cyrus uses an indexed MH variant (_not_ maildir). Devdas Bhagat
                  Message 8 of 11 , Jul 2, 2006
                  • 0 Attachment
                    On 03/07/06 02:42 +0200, mouss wrote:
                    > Jorey Bump wrote:
                    > >Cyrus doesn't use maildir, but it does store each message as a single
                    > >file.
                    > This is ambiguous. afaik, cyrus stored many messages in a single file,
                    > but uses an index file to "reach" messagesmore quickly than if just
                    > using mbox format.
                    >
                    Cyrus uses an indexed MH variant (_not_ maildir).

                    Devdas Bhagat
                  Your message has been successfully submitted and would be delivered to recipients shortly.