Re: Building an IMAP server
On Tue, 04 Feb 2003, nate wrote:
> > Cyrus 1.5 also has SASL problems. Anyway, Cyrus 2.1 will do LDAP auth
> > very easily, as long as it is against an open-ldap server (there is no
> > need to muck around with PAM to do that, then). I use it here, and it
> > doesn't even glitch.
>
> yes but the bug reports listed against it(referenced in the docs for
> the package) say it will cause major problems with libnss-ldap which
It will. Symbol versioning is _really_ needed, but apparently neither me,
upstream or the SASL maintainer took the time to add them to SASL 1.5.
It is a bit more complicated than it looks. Once we do it, we have to
wishlist recompiles of everything that uses SASL, and from there on anything
compiled with our (now non-braindamaged) SASL will complain VERY loudly when
run on "lesser" systems where SASL isn't versioned (but it will still run).
> I suppose I wouldn't need it if I used sasl, but that doesn't help
> me for the other things which use libnss-ldap.
Get ready to have the problems switch from Cyrus 2.1 to Cyrus 1.5 as soon as
we get the new openldap on Debian. It _requires_ sasl2, which means
everything else will HAVE to switch to sasl2 due to the symbol problems.
Cyrus 1.5 will break heavily with libnss-ldap, then.
> yeah I know that but I see no reason for sasl, I looked at the description
> of it briefly and still do not understand what the point of using it is.
Implementing the *authentication* methods you need in a mail server these
days.
> If I want secure authentication I'll use VPN or IMAPS(via sslwrap), and
You, maybe. Many users can't... oh, btw, Cyrus 2.1 supports IMAPS directly.
> if I want to abstract authentication I can use PAM, that way I can
PAM was not designed for CRAM/DIGEST/OTP auth. It can be done, but not well.
> > Cyrus 2 is anything but flaky... I am not really sure it is as stable as
> > 1.5, but it has fewer security issues, and a lot more features.
>
> as for being flakey I got that just from reading up on some mailing list
> postings, maybe not all were up to date, when I was researching it a few
> weeks ago, things about cyrus mysteriously crashing, or refusing to
> authenticate. Probably mostly due to sasl mis-configuration or something.
Heh. 99% of the problems that have anything to do with auth means someone
did not manage to setup SASL right. Yes, there were a few bugs in SASL, and
right now there IS a bug in whatever mutt uses that makes it refuse to talk
DIGEST-MD5 right against Cyrus (the SASL endpoint has been validated to be
conforming correctly to the RFC)... but those are quite rare.
Cyrus crashes are very common... in sub-standard Linux installs :-) The
Cyrus in Debian is *extensibly* patched to be very stable on high-load on
Linux systems, and Debian itself is much better behaved than some of the
crap people try to run "pristine upstream" Cyrus (which isn't guaranteed to
work well outside Solaris anyway) on.
In other words: you should NOT use pristine upstream Cyrus on Linux. And you
should not use fucked up distributions to run it, either. BSD folks have to
use their ports (or Cyrus won't even compile right). Linux folks should be
using either my Debs or the good RPMs one of the regulars in cyrus-devel
produces, which are patched accordingly. Solaris users can safely use
upstream Cyrus source without patches.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: