On 3/16/21 10:02 AM, Michael Menge wrote:
Quoting Neil Price <[email protected]>:
On 16/03/2021 2:35 pm, Nic Bernstein wrote:
So if I use this command I will connect to my own Inbox as the Admin
user:
imtest -a admin -u nic imap.example.com
I gather there is no way of doing this from a generic client?
It can be done by other clients, but the SASL auth mech must support it.
e.g PLAIN does support proxy authentication, but LOGIN does not
for a list of features see
ghttps://www.sendmail.org/~ca/email/cyrus2/mechanisms.html
For example you could use telnet / openssl s_client
You only have base64 encode 'authzid\0authcid0\0passwd'
imapsync seems to have some way of doing it but perhaps it detects
and uses cyrus specific code.
It is (Cyrus)SASL specific not Cyrus-IMAP,
but AFAIK Gnu- and Dovecot-SASL do also support it. ;-)
Just to be clear, the ability to authenticate as one user but authorize
as another is specific to the mechanism in use (as also explained in the
'imtest' manpage I referenced). However, if the purpose for an admin
accessing another user's mailbox is to manipulate the messages or
folders, then such split identity is not required. Any user with
sufficient ACLs may SELECT another user's folders and do whatever their
ACLs allow. This is not specific to Cyrus or any other server, as long
as the server supports relevant RFCs.
Cheers,
-nic
--
Nic Bernstein [email protected]
https://www.nicbernstein.com
https://www.linkedin.com/in/nic-b-26577a178/
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T855cd3af79064722-M96b6dc6cc09b6559736c4f20
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
