[sork] set forwarding via scp?
Markus Krause
krause at biochem.mpg.de
Sat Apr 26 14:01:10 PDT 2003
Am Fre, 2003-04-25 um 00.29 schrieb Eric Rostetter:
> Quoting Markus Krause <krause at biochem.mpg.de>:
>
> > due to strict security demands i am not allowed to pass the .forwards
> > via ftp (through the firewall), but via scp (the ssh secure copy) would
> > be fine.
>
> First, why is there are firewall between your web server and mail server?
> Shouldn't both be behind the firewall?
they are, but also seperated by another firewall.
a very simple diagram of our network is:
[Internet]
|
[ FW 1 ]
|
[ Horde ]
[ WWW ]
[SMTP-Relay]
|
[ FW 2 ]
|
[ IMAP ]
[ SMTP ]
[ .... ]
|
[ FW 3 ]
|
[Institute ]
the "network securtiy chief" does not like idea of opening another port
on FW2 and install a ftp-server on the imap machine.
> Right now there is no stock solution. In the future, I'd like to add ssl
> enabled ftp, but since this is new in PHP 4.3.x, and many people are not
> running that yet, it is low priority right now.
this i'd like very much! (but i know i can not change the priority ;-) )
> You could of course use an ssh or stunnel to tunnel the info between the
> machines.
we thought of that too, but for this we have to install an ftp-server on
the imap-machine (well, see above)
> You might be able to modify the passwd module's expect script to do this
> also... Not a bad idea, but so far no one has stepped up to do the work.
>
> Some people have used it as a "batch" system. Say, for example, they
> use the sql driver to make the change in sql. Then on the mail machine
> they have a cron jon that pulls the info out of sql and puts it in the
> right file. Not a great solution, but some people have done it.
we thought of somethine similar: let a cron job do scp or rsync all
.forward/.vacation files, but as you said, thats not a great solution...
> Another option, which probably wouldn't work in your security enviroment,
> are things like nfs/cifs/afs mounting of the disks.
hmm, our network admin won't like this at all i think ...
> > is there an option to do this or has anybody already managed this in
> > another way?
>
> No option, but above are some ideas on how to do it.
>
> > i am not too smart in php but if someone could show me a way through
> > this i would give it a try myself and of course share the code with you,
> > if anyone has need of this!
>
> See above, and let me know if you need help. Can't help though until
> you decide on how you want to proceed.
as written above i like the idea of ssl_ftp very much, i tried the sftp
client of then openssh packet and it uses port 22 (well, actually not
very surprising ;-) ), which should be no problem for our security
concerned network admins.
of course i could just change the parts in ftp.php to ftp_ssl_connect
but that would be lost after the next update (and would be no use for
you and the horde project). as mentioned i am not a php expert (at least
if it comes to classes, i have only programmed the "classic way" in php
but i am willing to learn it) and even after browsing through the code
of horde i have not yet fully understood the philosophy/class layout
(although it seems very thoroughly planned but therefor for a newbie
like me difficult to understand) but if you could spend some time and
point me the the files i have to understand/modify (and maybe there is a
map of the classe anywhere?) i will try do it myself and of course share
it if i have success!
markus
More information about the sork
mailing list