allowplaintext: no and aggregates
We are running a murder aggregate: Front-end db Three front-end servers One back end server Starting next year we are no longer permitting unencrypted connections (long time coming). Our supported authentication mechanisms are: sasl_mech_list: PLAIN LOGIN When I change allowplaintext to no, will the back-end and front-end servers be able to communicate with each other? Or, do I need to add an additional non-plain authentication mechanism? Will the db-server require plain-text logins? Thank You, Mike -- Michael D. Sofka sof...@rpi.edu CMT Sr. Systems Programmer, Email, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: allowplaintext: no and aggregates
On Fri, 6 Dec 2013, sofkam wrote: We are running a murder aggregate: Front-end db Three front-end servers One back end server Starting next year we are no longer permitting unencrypted connections (long time coming). Our supported authentication mechanisms are: sasl_mech_list: PLAIN LOGIN When I change allowplaintext to no, will the back-end and front-end servers be able to communicate with each other? Or, do I need to add an additional non-plain authentication mechanism? Will the db-server require plain-text logins? Good question... My backend servers are still allowing plaintext logins, and all the proxy connections from the frontends are using plaintext. My frontends have allowplaintext:0. I suppose I could try this in my test environment... Actually, it looks like my test environment has allowplaintext:0 everywhere, and connections from the frontends use PLAIN+TLS. Now I just need to put this in place in my production environment too! Andy Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: allowplaintext: no and aggregates
On 12/06/13 14:04 -0500, sofkam wrote: We are running a murder aggregate: Front-end db Three front-end servers One back end server Starting next year we are no longer permitting unencrypted connections (long time coming). Our supported authentication mechanisms are: sasl_mech_list: PLAIN LOGIN When I change allowplaintext to no, will the back-end and front-end servers be able to communicate with each other? Or, do I need to add an additional non-plain authentication mechanism? Will the db-server require plain-text logins? Enabling TLS should allow plaintext logins even where allowplaintext is set to no. You could also enable sasldb or another auxprop plugin, use a shared secret mechanism such as digest-md5, for your server to server communications. However, if you enable a shared secret mechanism on a frontend server, or a backend server (if you allow clients to connect directly to one), you will likely see authentication failures from clients attempting digest-md5 auth, unless those users exist within your auxprop database. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus