[horde] Refuse users without mailbox
Paul van der Vlis
paul at vandervlis.nl
Tue Mar 11 13:55:56 UTC 2008
Brandon Ramirez schreef:
> I have to disagree with this configuration conceptually. At the end of the
> day, you are trying to use the same identity/authentication store (you're
> using PAM, so presumably your authentication store is your UNIX passwd and
> shadow files or similar) to manage two different sets of users whom should
> be tracked separately.
>
> The real problem is that your two user sets (FTP users and IMAP) are not one
> in the same, but they are thrown together into one big superset. Cyrus IMAP
> isn't failing to authenticate. IMAP is only failing because users don't
> have a mailbox, NOT because the user doesn't exist. Cyrus is not doing what
> you really want, it merely works as a hack. Actually, it's somewhat of a
> security threat because an attacker can brute force your IMAP server to
> determine FTP users.
>
> So to solve your problem, you need to separate out IMAP users from FTP
> users, or extend your schema to have a way of describing each user's role in
> a way that Horde, IMAP, and your FTP server can understand. My suggestion
> is to implement groups. Create a group for FTP users and a group for IMAP
> users. Put each user in the appropriate group(s) and then restrict your FTP
> and IMAP servers to only allow users from their respective group.
Nice idear, but how can I do that? With PAM maybe?
Maybe this is more a question for the Cyrus mailinglist...
With regards,
Paul van der Vlis.
--
http://www.vandervlis.nl/
More information about the horde
mailing list