[sork] set forwarding via scp?

Markus Krause krause at biochem.mpg.de
Sat Apr 26 14:01:10 PDT 2003 

Am Fre, 2003-04-25 um 00.29 schrieb Eric Rostetter:
> Quoting Markus Krause <krause at biochem.mpg.de>:
> 
> > due to strict security demands i am not allowed to pass the .forwards
> > via ftp (through the firewall), but via scp (the ssh secure copy) would
> > be fine.
> 
> First, why is there are firewall between your web server and mail server?
> Shouldn't both be behind the firewall?
they are, but also seperated by another firewall.

a very simple diagram of our network is:

 [Internet]
     |
  [ FW 1 ]
     |
[  Horde   ]
[   WWW    ]
[SMTP-Relay]
     |
  [ FW 2 ]
     |
  [ IMAP ]
  [ SMTP ]
  [ .... ]
     |
  [ FW 3 ]
     |
[Institute ]

the "network securtiy chief" does not like idea of opening another port
on FW2 and install a ftp-server on the imap machine. 

> Right now there is no stock solution.  In the future, I'd like to add ssl
> enabled ftp, but since this is new in PHP 4.3.x, and many people are not
> running that yet, it is low priority right now.
this i'd like very much! (but i know i can not change the priority ;-) )

> You could of course use an ssh or stunnel to tunnel the info between the
> machines.
we thought of that too, but for this we have to install an ftp-server on
the imap-machine (well, see above)

> You might be able to modify the passwd module's expect script to do this
> also...  Not a bad idea, but so far no one has stepped up to do the work.
> 
> Some people have used it as a "batch" system.  Say, for example, they
> use the sql driver to make the change in sql.  Then on the mail machine
> they have a cron jon that pulls the info out of sql and puts it in the
> right file.  Not a great solution, but some people have done it.
we thought of somethine similar: let a cron job do scp or rsync all
.forward/.vacation files, but as you said, thats not a great solution...

> Another option, which probably wouldn't work in your security enviroment,
> are things like nfs/cifs/afs mounting of the disks.
hmm, our network admin won't like this at all i think ...

> > is there an option to do this or has anybody already managed this in
> > another way?
> 
> No option, but above are some ideas on how to do it.
> 
> > i am not too smart in php but if someone could show me a way through
> > this i would give it a try myself and of course share the code with you,
> > if anyone has need of this!
> 
> See above, and let me know if you need help.  Can't help though until
> you decide on how you want to proceed.
as written above i like the idea of ssl_ftp very much, i tried the sftp
client of then openssh packet and it uses port 22 (well, actually not
very surprising ;-) ), which should be no problem for our security
concerned network admins.
of course i could just change the parts in ftp.php to ftp_ssl_connect 
but that would be lost after the next update (and would be no use for
you and the horde project). as mentioned i am not a php expert (at least
if it comes to classes, i have only programmed the "classic way" in php
but i am willing to learn it) and even after browsing through the code
of horde i have not yet fully understood the philosophy/class layout
(although it seems very thoroughly planned but therefor for a newbie
like me difficult to understand) but if you could spend some time and
point me the the files i have to understand/modify (and maybe there is a
map of the classe anywhere?) i will try do it myself and of course share
it if i have success!

	markus

More information about the sork mailing list