1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
courierpassd for Debian
-----------------------
The following is straight from courierpassd's INSTALL file:
SUPER-SERVER SETUP:
Because courierpassd relies on a super-server to handle network connections,
it is easy to set up courierpassd to listen on whatever port is desired.
Since courierpassd uses the poppassd protocol to talk to clients, however,
the use of port 106 is recommended unless there is a compelling reason to
do otherwise.
A typical xinetd entry for courierpassd would look like this:
service courierpassd
{
port = 106
socket_type = stream
protocol = tcp
user = courier
server = /usr/local/sbin/courierpassd
server_args = -s imap
wait = no
only_from = 192.168.1.0 127.0.0.1
instances = 4
disable = no
}
Courierpassd can also be used with tcpserver from the ucspi-tcp package
written by Dan Bernstein. A simple example of a courierpassd run script
would look like this:
#!/bin/sh
AUTHUID=`/usr/bin/id -u courier`
AUTHGID=`/usr/bin/id -g courier`
tcpserver -R -x /etc/tcprules.d/tcp.poppassd.cdb \
-u "$AUTHUID" -g "$AUTHGID" 0 106 courierpassd -s imap &
If you use the daemontools package to control tcpserver, you can take
advantage of multilog and courierpassd's --stderr switch to provide
a consistent logging interface. In this case, the run script would look
something like this:
#!/bin/sh
AUTHUID=`/usr/bin/id -u courier`
AUTHGID=`/usr/bin/id -g courier`
exec tcpserver -v -R -x /etc/tcprules.d/tcp.poppassd.cdb \
-u "$AUTHUID" -g "$AUTHGID" 0 106 courierpassd -s imap --stderr 2>&1
And the corresponding log run script would look like this:
#!/bin/sh
exec multilog t /var/log/courierpassd
See the documentation that comes with ucspi-tcp and daemontools for
more information on how to use these packages and why you might want
to.
SECURITY CONSIDERATIONS:
The user you choose to run courierpassd as is determined by the ownership
of the directory in which the authdaemon domain socket, named 'socket',
resides. The location of the socket directory is listed in the
authdaemonrc configuration file as the parameter authdaemonvar.
You should run courierpassd as the user and group of this directory to
allow it to communicate with the authentication library.
Because courierpassd interacts with clients at remote locations,
careful thought must be given to access control.
When configuring the super-server, restrict the machines from which
connections will be accepted. Restrict access to particular machines or
at least to particular subnets. If your network is protected by a firewall,
make sure the firewall blocks incoming requests to the port courierpassd
listens on.
Using courierpassd means there will be plain text user IDs and passwords
transiting the network. If there is a possibility that passwords can be
captured on the wire by packet sniffers, use tunneling software such
as stunnel to encrypt the connection between server and clients.
-- Charles Fry <cfry@debian.org>, Tue Jul 25 08:54:10 EDT 2006
|
