[horde] Authorisation and virtual mail users

Steffen skhorde at smail.inf.fh-bonn-rhein-sieg.de
Fri Feb 20 07:35:07 UTC 2015

On Fri, 20 Feb 2015, Jānis wrote:
> Citēts Michael J Rubinsky <mrubinsk at horde.org>
> Thu, 19 Feb 2015 16:13:22 -0500:
>> Quoting Jānis <je at ktf.rtu.lv>:
>>> there is the linux system with real users but for some considerations 
>>> unknown to me it is of utmost importance to use virtual accounts for 
>>> e-mails (postfix/dovecot/postfix-admin/mysql).
>>> Currently evrth works, but the logging in twice is necessary - first - for 
>>> the Horde framework, except Imp, using sys user credentials and the second 
>>> - using virtual email address if one is going to read/send e-mails.
>>> Sys users can not be virtualized because they have huge personal homes 
>>> there
>>> Is it possible to achieve single authorization for such strange system?
>> If I understand your question correctly, it sounds like you are using the 
>> wrong authentication backend. You should use Application/IMP 
>> authentication, have the users login using the virtual account credentials, 
>> and make sure you set "hordeauth" to true in imp/config/backends.local.php.
> So the Horde users will be 100% virtual and, for example, task list will 
> belong to the virtual user at domain, not the user with sys account?
> What will happen if such "beast" would want to use ssh2 backend for Gollem in 
> order to access files on the system under his _system_ account? I think this 
> calls for the second authentification anyway, doesn't it?

yes. However you have some options:

1) have your IMAP & SMTP server honor the system user passwords in 
conjunctions with the ones of the virtual accounts. With Dovecot you can 
change the username in passdb{} queries to make that happen via 

So the users log into Webmail with the system user, which password will 
work with gollem. Pure virtual users will be prompted for a password in 

2) have Horde access to a clear-text password for the user or whatsoever, 
you can pass to the SSH server in Gollem. You could configure the SSH 
server to not require the original user password, but some other - 
internal - one.


More information about the horde mailing list