global admin without defaultdomain?
igor at ipass.net
Mon Dec 29 12:19:15 EST 2003
On Mon, 29 Dec 2003, Kendrick Vargas wrote:
> On Mon, 29 Dec 2003, Christian Schulte wrote:
> > Since you enabled virtdomains why do you still want unqualified logins
> > if not due upgrading reasons from an old installation with unqualified
> > logins ? This all only has to do with unqualified logins which I do not
> > want/need except for the global admin. If someone plans on changing the
> > behaviour with the global admin and defaultdomain I would really like to
> > keep the ability to not let a global admin in if not connecting to
> > localhost and of course there should be a note about the change so that
> > next time updating cyrus I do not open up a security hole I spent hours
> > to prove that its greatly closed and safe :-)
> Well, that's basically it. I want a global admin, so I need to have a
> defaultdomain set, which means the allowance of unqualified logins.
Why is this a problem? Unqualified userid is meaningful only if there is
a mailbox for this userid in defaultdomain.
> As for
> only being able to log in via localhost to your global admin account,
> it's a bug whether you like it or not :-) Relying on a bug to maintain
> your security is really bad security. The only time I feel secure in my
> setups is when I know everything is working as it should, otherwise theres
> always that bit of doubt about things always working right.
This would be correct only if there is a bug. There is no bug here, but
rather a misconfiguration on your part. We can argue how to make the code
different/better in order to make it easier to configure.
On my configuration, I can cannect as admin to any interface on the mail
server (I have to use fully qualified username: admin at defaultdomain), or
I can connect to a specific ip with an unqualified admin userid.
Here are simple rules:
- global admins need to be unqualified in imapd.conf
- Setup an interface that resolves to host.defaultdomain or setup an
interface that does not resolve to anything. This is required only if you
want to use unqualified admins when connecting to cyrus.
- global admins need to be unqualified in the user database
> Besides, it's not like you couldn't replicate that sort of behavior
> further down the road. You could always set up a specific IMAP instance to
> watch over localhost which uses a different configuration file which has
> the global admin settings. Then modify the other configuration file to get
> rid of the global admin priviledges. That way the system WILL ALWAYS do
> what you've now grown used to and you won't have to worry about it being
> fixed in the future. Actually, maybe there's another good config option
> for security, "globaladmininterfaces" which says which interfaces or IP's
> a global admin can log in as.
> My need for a global admin is for my administrative web interface. I can
> set up my scripts to use one login on the backend and not have to worry
> about setting up specific user addresses in each domain for
> administration which pretty much makes them useless for actual mail
More information about the Info-cyrus