[horde] Refuse users without mailbox
Brandon Ramirez
brandon.s.ramirez at gmail.com
Mon Mar 10 16:20:13 UTC 2008
I have to disagree with this configuration conceptually. At the end of the
day, you are trying to use the same identity/authentication store (you're
using PAM, so presumably your authentication store is your UNIX passwd and
shadow files or similar) to manage two different sets of users whom should
be tracked separately.
The real problem is that your two user sets (FTP users and IMAP) are not one
in the same, but they are thrown together into one big superset. Cyrus IMAP
isn't failing to authenticate. IMAP is only failing because users don't
have a mailbox, NOT because the user doesn't exist. Cyrus is not doing what
you really want, it merely works as a hack. Actually, it's somewhat of a
security threat because an attacker can brute force your IMAP server to
determine FTP users.
So to solve your problem, you need to separate out IMAP users from FTP
users, or extend your schema to have a way of describing each user's role in
a way that Horde, IMAP, and your FTP server can understand. My suggestion
is to implement groups. Create a group for FTP users and a group for IMAP
users. Put each user in the appropriate group(s) and then restrict your FTP
and IMAP servers to only allow users from their respective group.
Since Horde will authenticate using IMP and through there against your IMAP
server, if Cyrus is refusing to authenticate users who are not part of the
IMAP group, then they won't be able to login to Horde either.
I hope that helps.
- Brandon
On Mon, Mar 10, 2008 at 9:28 AM, Patrick Boutilier <boutilpj at ednet.ns.ca>
wrote:
> Michael Menge wrote:
> >
> > Quoting Paul van der Vlis <paul at vandervlis.nl>:
> >
> >>
> >
> >> Realize that Cyrus IMAP does not create mailboxes automatically.
> > Which version do you use? You can create them with autocreate on
> > firstlogin.
>
> He doesn't want those users to have mailboxes.
>
> >
> >> So you can have users with correct authentication but without mailbox.
> >> I would like to refuse such users.
> >>
> > How do you authenticate your users in Horde? Cyrus refuses users without
> > INBOX if you don't use the autocreate feature.
>
> Not true. We use Cyrus with PAM authentication (pam_mysql). As long as
> PAM returns true for the authentication data provided Cyrus will
> authenticate the user. Notice how authentication is successful but INBOX
> does not exist?
>
> [root at student dist]# telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
> SASL-IR] student.ednet.ns.ca Cyrus IMAP4 v2.3.11 server ready
> . login usa xxxxxxxxxxxxx
> . OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
> RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
> UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
> IDLE URLAUTH] User logged in
> . SELECT INBOX
> . NO Mailbox does not exist
> . logout
> * BYE LOGOUT received
> . OK Completed
> Connection closed by foreign host.
>
>
> >
> >
> --------------------------------------------------------------------------------
> >
> > M.Menge Tel.: (49) 7071/29-70316
> > Universitaet Tuebingen Fax.: (49) 7071/29-5912
> > Zentrum fuer Datenverarbeitung mail:
> > michael.menge at zdv.uni-tuebingen.de
> > Waechterstrasse 76
> > 72074 Tuebingen
> >
>
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
More information about the horde
mailing list