|
|
Hi,
> What about the usual restriction that only LMTP admins (i.e. in admins or
> lmtp_admins on imapd.conf) can authorize against LMTP?
Whenever I have a LMTP connection, the authentication data used to
establish the connection is no longer used, everything that counts in
what permissions I have is what I send as the AUTH argument to the MAIL
command. So in order to deliver an email, I need to send "AUTH=postman"
and I get post access to any mailbox where "postman" has post
permission. cyrdeliver can do that, but postfix cannot do that directly,
as their LMTP driver can only generate empty AUTH arguments. In my
opinion, it should be sufficient to have an authenticated LMTP
connection to have the authentication credentials used for
authorization. The patch still leaves the option of assuming other
identities by using the AUTH option (there is no checking), so it won't
break existing code, but it will make deliveries to shared mailboxes
work from a direct LMTP connection without the use of cyrdeliver.
I also believe there should be some kind of verification that the
authenticated user is actually authorized to assume the identity passed
as an AUTH option, but this might break existing code.
The fact that only (LMTP) admins can authorize against LMTP does not
help me because I still need to give "anyone" posting privilege for
incoming mailboxes, so any existing user will see ("l" perm required for
posting) all mailboxes on the system and even though he/she is not
authorized to look at the messages inside, he/she will be able to post
messages there. I'd like to lock down my ACLs as far as possible, and
this patch lets me do so without requiring me to invoke cyrdeliver to
perform deliveries to those mailboxes.
Simon
--
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4
|
|