[horde] Refuse users without mailbox

Patrick Boutilier boutilpj at ednet.ns.ca
Mon Mar 10 17:23:46 UTC 2008 

Brandon Ramirez wrote:
> I have to disagree with this configuration conceptually.  At the end of 
> the day, you are trying to use the same identity/authentication store 
> (you're using PAM, so presumably your authentication store is your UNIX 
> passwd and shadow files or similar) to manage two different sets of 
> users whom should be tracked separately.

We use Cyrus with PAM authentication (pam_mysql) so authentication is in 
a MySQL database.

> 
> The real problem is that your two user sets (FTP users and IMAP) are not 
> one in the same, but they are thrown together into one big superset.  
> Cyrus IMAP isn't failing to authenticate.  IMAP is only failing because 
> users don't have a mailbox, NOT because the user doesn't exist. Cyrus is 
> not doing what you really want, it merely works as a hack.  Actually, 
> it's somewhat of a security threat because an attacker can brute force 
> your IMAP server to determine FTP users.
> 
> So to solve your problem, you need to separate out IMAP users from FTP 
> users, or extend your schema to have a way of describing each user's 
> role in a way that Horde, IMAP, and your FTP server can understand.  My 
> suggestion is to implement groups.  Create a group for FTP users and a 
> group for IMAP users.  Put each user in the appropriate group(s) and 
> then restrict your FTP and IMAP servers to only allow users from their 
> respective group.

We do this by having a field called email_enabled which is set to 1 if 
the user is to have a Cyrus account and 0 if the user is only used to 
authenticate against other services (FTP is not one of them). I was just 
showing Michael that Cyrus will authenticate without a valid mailbox.

> 
> Since Horde will authenticate using IMP and through there against your 
> IMAP server, if Cyrus is refusing to authenticate users who are not part 
> of the IMAP group, then they won't be able to login to Horde either.
> 
> I hope that helps.
> 
> - Brandon
> 
> On Mon, Mar 10, 2008 at 9:28 AM, Patrick Boutilier <boutilpj at ednet.ns.ca 
> <mailto:boutilpj at ednet.ns.ca>> wrote:
> 
>     Michael Menge wrote:
>      >
>      > Quoting Paul van der Vlis <paul at vandervlis.nl
>     <mailto:paul at vandervlis.nl>>:
>      >
>      >>
>      >
>      >> Realize that Cyrus IMAP does not create mailboxes automatically.
>      > Which version do you use? You can create them with autocreate on
>      > firstlogin.
> 
>     He doesn't want those users to have mailboxes.
> 
>      >
>      >> So you can have users with correct authentication but without
>     mailbox.
>      >> I would like to refuse such users.
>      >>
>      > How do you authenticate your users in Horde? Cyrus refuses users
>     without
>      > INBOX if you don't use the autocreate feature.
> 
>     Not true. We use Cyrus with PAM authentication (pam_mysql). As long as
>     PAM returns true for the authentication data provided Cyrus will
>     authenticate the user. Notice how authentication is successful but INBOX
>     does not exist?
> 
>     [root at student dist]# telnet localhost 143
>     Trying 127.0.0.1...
>     Connected to localhost.
>     Escape character is '^]'.
>     * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN
>     SASL-IR] student.ednet.ns.ca <http://student.ednet.ns.ca> Cyrus
>     IMAP4 v2.3.11 server ready
>     . login usa xxxxxxxxxxxxx
>     . OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
>     RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME
>     UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
>     THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
>     IDLE URLAUTH] User logged in
>     . SELECT INBOX
>     . NO Mailbox does not exist
>     . logout
>     * BYE LOGOUT received
>     . OK Completed
>     Connection closed by foreign host.
> 
> 
>      >
>      >
>     --------------------------------------------------------------------------------
>      >
>      > M.Menge                                 Tel.: (49) 7071/29-70316
>      > Universitaet Tuebingen                  Fax.: (49) 7071/29-5912
>      > Zentrum fuer Datenverarbeitung          mail:
>      > michael.menge at zdv.uni-tuebingen.de
>     <mailto:michael.menge at zdv.uni-tuebingen.de>
>      > Waechterstrasse 76
>      > 72074 Tuebingen
>      >
> 
>     --
>     Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
>     Frequently Asked Questions: http://horde.org/faq/
>     To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>     <mailto:horde-unsubscribe at lists.horde.org>
> 
>

More information about the horde mailing list