[horde] Refuse users without mailbox

Brandon Ramirez brandon.s.ramirez at gmail.com
Tue Mar 11 15:18:29 UTC 2008 

I did a quick Google search for "requiring group membership PAM" and the
first result is below:

http://dev.splitbrain.org/view/darcs/pam-require/README

There is some example configuration for doing exactly what I suggested:

account    required   pam_require.so @dialin


That will require that a user be a member of the 'dial-in' group for
authentication to succeed.  This line goes in the PAM service file for your
IMAP and FTP servers.  You probably want a better name than dial-in though
:)

Since PAM is an abstraction layer for authentication, you need to define the
groups in your UNIX passwd/group files (or LDAP, NIS, etc.).

- Brandon

On Tue, Mar 11, 2008 at 9:55 AM, Paul van der Vlis <paul at vandervlis.nl>
wrote:

> Brandon Ramirez schreef:
> > I have to disagree with this configuration conceptually.  At the end of
> the
> > day, you are trying to use the same identity/authentication store
> (you're
> > using PAM, so presumably your authentication store is your UNIX passwd
> and
> > shadow files or similar) to manage two different sets of users whom
> should
> > be tracked separately.
> >
> > The real problem is that your two user sets (FTP users and IMAP) are not
> one
> > in the same, but they are thrown together into one big superset.  Cyrus
> IMAP
> > isn't failing to authenticate.  IMAP is only failing because users don't
> > have a mailbox, NOT because the user doesn't exist. Cyrus is not doing
> what
> > you really want, it merely works as a hack.  Actually, it's somewhat of
> a
> > security threat because an attacker can brute force your IMAP server to
> > determine FTP users.
> >
> > So to solve your problem, you need to separate out IMAP users from FTP
> > users, or extend your schema to have a way of describing each user's
> role in
> > a way that Horde, IMAP, and your FTP server can understand.  My
> suggestion
> > is to implement groups.  Create a group for FTP users and a group for
> IMAP
> > users.  Put each user in the appropriate group(s) and then restrict your
> FTP
> > and IMAP servers to only allow users from their respective group.
>
> Nice idear, but how can I do that?  With PAM maybe?
>
> Maybe this is more a question for the Cyrus mailinglist...
>
> With regards,
> Paul van der Vlis.
>
>
>
>
> --
> http://www.vandervlis.nl/
>
>

More information about the horde mailing list