On 3/16/21 10:08 AM, Nic Bernstein wrote:
On 3/16/21 10:02 AM, Michael Menge wrote:
Quoting Neil Price <[email protected]>:
On 16/03/2021 2:35 pm, Nic Bernstein wrote:
So if I use this command I will connect to my own Inbox as the
Admin user:
imtest -a admin -u nic imap.example.com
I gather there is no way of doing this from a generic client?
It can be done by other clients, but the SASL auth mech must support it.
e.g PLAIN does support proxy authentication, but LOGIN does not
for a list of features see
ghttps://www.sendmail.org/~ca/email/cyrus2/mechanisms.html
For example you could use telnet / openssl s_client
You only have base64 encode 'authzid\0authcid0\0passwd'
imapsync seems to have some way of doing it but perhaps it detects
and uses cyrus specific code.
It is (Cyrus)SASL specific not Cyrus-IMAP,
but AFAIK Gnu- and Dovecot-SASL do also support it. ;-)
Just to be clear, the ability to authenticate as one user but
authorize as another is specific to the mechanism in use (as also
explained in the 'imtest' manpage I referenced). However, if the
purpose for an admin accessing another user's mailbox is to manipulate
the messages or folders, then such split identity is not required.
Any user with sufficient ACLs may SELECT another user's folders and do
whatever their ACLs allow. This is not specific to Cyrus or any other
server, as long as the server supports relevant RFCs.
Cheers,
-nic
Oh, and to reply to my own messages; I'll point out that the Cyrus
documentation specifically mentions that one should exercise caution if
logging in as admin. This is especially true with clients which present
abstracted views of the folder hierarchy, like Thunderbird, or which
tend to create "missing" folders, such as Drafts, Trash, Templates, etc.
This is because the admin user is not expected to be used as a typical
client, but only to manage other users, via 'cyradm' or other tools. If
one establishes an IMAP protocol connection as 'admin' with Thunderbird,
and creates the folder 'Yadda' then a new folder will be created which
is outside of the 'user/' prefix.
As is mentioned in the 'imapd.conf(5)' manpage:
Note that accounts used by users should not be administrators.
Administrative accounts should not receive mail. That is, if user
"jbRo" is a user reading mail, he should not also be in the admins
line. Some problems may occur otherwise, most notably the ability of
administrators to create top-level mailboxes visible to users, but
not writable by users.
Cheers,
-nic
--
Nic Bernstein [email protected]
https://www.nicbernstein.com
https://www.linkedin.com/in/nic-b-26577a178/
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T855cd3af79064722-M4851980460465e2a10e2ba59
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
