Re: Using user_deny.db
On 09/19/2017 11:31 AM, Michael Sofka wrote: On 09/19/2017 10:28 AM, Ken Murchison wrote: I believe that is it prior to authentication, based on my notes: https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-June/033119.html user_deny.db is NOT checked prior to completion of LOGIN authentication, although it probably could/should. It works for POP3 USER/PASS because user_deny.db is checked in the command processing loop, so it happens between the USER and PASS commands. Oh well. I agree that it would be a useful check before login authentication takes place. There IS a check during the SASL proxy policy callback, but that isn't used for protocol-specific plaintext authentication commands. I just tested a quick patch which moved the check into the user canonicalization callback (which IS used my IMAP LOGIN, etc) and it works as expected. I would need to do further testing to make sure there aren't any unintended consequences. Meanwhile, any more comprehensive examples or documentation? https://www.cyrusimap.org/imap/concepts/deployment/databases.html#user-access-user-deny-db -- Kenneth Murchison Cyrus Development Team FastMail Pty Ltd Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Using user_deny.db
On 09/19/2017 10:28 AM, Ken Murchison wrote: I believe that is it prior to authentication, based on my notes: https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-June/033119.html user_deny.db is NOT checked prior to completion of LOGIN authentication, although it probably could/should. It works for POP3 USER/PASS because user_deny.db is checked in the command processing loop, so it happens between the USER and PASS commands. Oh well. I agree that it would be a useful check before login authentication takes place. Meanwhile, any more comprehensive examples or documentation? Thank You, Mike -- Michael D. Sofka sof...@rpi.edu ITI Sr. Systems Programmer, Email, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Using user_deny.db
On 09/19/2017 10:17 AM, Dan White wrote: On 09/19/17 10:02 -0400, Michael Sofka wrote: We have many recalcitrant, bad, accounts constantly checking IMAP, long after the student has graduated. I would like to use user_deny.db to simply tell them to go away. First, would this offer an advantage? That is, does "login" check user_deny.db before authenticating, or after? I believe that is it prior to authentication, based on my notes: https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-June/033119.html user_deny.db is NOT checked prior to completion of LOGIN authentication, although it probably could/should. It works for POP3 USER/PASS because user_deny.db is checked in the command processing loop, so it happens between the USER and PASS commands. Second, any examples of how to use cyr_dbtool (or other tool) to put entries into user_deny.db? Finally, my reading of the documentation (2.4.17/18) is that user_deny.db is a flat file by default, so I will need to set userdeny_db to something like skiplist, or berkeley, etc. Any suggestions on a good choice assuming the list could grow to a few thousand? Any documentation on the sql option? -- Kenneth Murchison Cyrus Development Team FastMail Pty Ltd Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Using user_deny.db
On 09/19/17 10:02 -0400, Michael Sofka wrote: We have many recalcitrant, bad, accounts constantly checking IMAP, long after the student has graduated. I would like to use user_deny.db to simply tell them to go away. First, would this offer an advantage? That is, does "login" check user_deny.db before authenticating, or after? I believe that is it prior to authentication, based on my notes: https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-June/033119.html Second, any examples of how to use cyr_dbtool (or other tool) to put entries into user_deny.db? Finally, my reading of the documentation (2.4.17/18) is that user_deny.db is a flat file by default, so I will need to set userdeny_db to something like skiplist, or berkeley, etc. Any suggestions on a good choice assuming the list could grow to a few thousand? Any documentation on the sql option? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Using user_deny.db
We have many recalcitrant, bad, accounts constantly checking IMAP, long after the student has graduated. I would like to use user_deny.db to simply tell them to go away. First, would this offer an advantage? That is, does "login" check user_deny.db before authenticating, or after? Second, any examples of how to use cyr_dbtool (or other tool) to put entries into user_deny.db? Finally, my reading of the documentation (2.4.17/18) is that user_deny.db is a flat file by default, so I will need to set userdeny_db to something like skiplist, or berkeley, etc. Any suggestions on a good choice assuming the list could grow to a few thousand? Any documentation on the sql option? Thank You, Mike -- Michael D. Sofka sof...@rpi.edu ITI Sr. Systems Programmer, Email, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus