Re: [Dovecot] user login on behalf of another user
Hello, Am 06.02.2012 16:05, schrieb Timo Sirainen: Master user doesn't necessarily have access to all users' mailboxes. In the passdb lookup you can decide if this master user is allowed to be this destination user. For example if you used passdb checkpassword, you could look at USER and MASTER_USER environment variables to figure out if this combination should be allowed or not. The checkpassword script can also do the actual authentication via PAM (I'd think there's a way to call it somehow). Thank you. I got an idea, how I could configure this. Ingo
Re: [Dovecot] user login on behalf of another user
On 5.2.2012, at 18.53, rog7...@web.de wrote: we are searching for a possibility to configure a user login on behalf of another user with a PAM backend. This reminds to the behavior of a master user. But a master user can access the mailboxes of all users. We need this more restricted. Master user doesn't necessarily have access to all users' mailboxes. In the passdb lookup you can decide if this master user is allowed to be this destination user. For example if you used passdb checkpassword, you could look at USER and MASTER_USER environment variables to figure out if this combination should be allowed or not. The checkpassword script can also do the actual authentication via PAM (I'd think there's a way to call it somehow).
Re: [Dovecot] user login on behalf of another user
rog7...@web.de wrote: User user1 and user2 shall get access to the mailbox info. We define the accounts info~user1 and info~user2 with the same home directory like info. Isn't this the kind of scenario shared folders were made for? Grüße, Sven. -- Sigmentation fault. Core dumped.
Re: [Dovecot] user login on behalf of another user
Den 2012-02-05 17:53, rog7...@web.de skrev: Surely the preferable alternative would be the use of ACLs to give acccess to other users mailboxes. But we started this setup with Dovecot 1.0 or 1.1. And with these versions, ACLs weren't available. And now we have too much accounts and clients, which are configured this way and can't change this for the short term. secureity wise i would also do this, had bots trying whole day here to get week passwords found to atleast find one login that works, if acl is used there is only one password found and the other user do not need to change his password, but only the acl or ask the other user to change his password, its still possible that both users is same user, imho it have no point if its pam users or not
Re: [Dovecot] user login on behalf of another user
Am 05.02.2012 18:14, schrieb Sven Hartge: Isn't this the kind of scenario shared folders were made for? Yes, of course. Although I didn't called it shared folders in my original post, I had this in mind, when I wrote that ACLs would be the better solution. But for historical reasons we are already in the situation having these kind of accounts. And I don't want to reconfigure about 100 clients now. This would need more time than I want spend now. Ingo
