[imp] feature request - multiple domains

Rich Lafferty rich@horde.org
Tue, 20 Mar 2001 20:53:18 -0500

Previous message: feature request - multiple domains
Next message: [imp] feature request - multiple domains
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 20, 2001 at 07:39:03PM -0600, tdavis@birddog.com (tdavis@birddog.com) wrote:
> 
> Now, have imp know the referring URL such as mail.ms.com and put that domain as 
> the only domain they can login to. 

No, you can never ever ever ever ever trust the HTTP REFERER [sic].
That's just coming from the browser. You're *still* letting the user
do whatever they want.

> The reason for this: IF you have a bunch of domains on a single box,
> any user can login to any domain because they are a valid user on
> that box and the auth mechanism doesn't know which domain they are
> supposed to be logging into.

Your auth mechanism is broken. Luckily, IMP isn't tied to any
particular auth mechanism, so you just need to make your imapd
authenticate based on user@host, not just user.

  -Rich

-- 
------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Instructional and Information Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich@alcor.concordia.ca ----------------------

Previous message: feature request - multiple domains
Next message: [imp] feature request - multiple domains
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]