Why are only admins allowed to AUTH to lmtpd?
Lawrence Greenfield
leg+ at andrew.cmu.edu
Fri Jan 3 15:37:35 EST 2003
--On Friday, January 03, 2003 12:48 PM -0700 "Kevin P. Fleming"
<kpfleming at cox.net> wrote:
> This is all working fine, except that I had to add my dummy
> authentication user (which I create solely for Exim to authenticate
> itself to lmtpd with) to the "admins" entry in /etc/imapd.conf. I had to
> do this because lmptd specifically allows only admins to authenticate.
>
> Is there any particular reason why? It's not a big deal for me, but when
> I document this configuration for other people I'm sure this will raise
> some eyebrows.
Allowing anonymous users to directly submit via LMTP would defeat any
accounting done in the MTA and allow for perfectly forged Received headers.
Allowing arbitrary users to authenticate could be just as bad with the
current code, though it could be modified---but it's not clear it's worth
it.
Since there are some LMTP extensions like IGNOREQUOTA that require
administrative rights, it doesn't seem worthwhile to try to get finer
grained authorization than "lmtp_admins".
Larry
More information about the Info-cyrus
mailing list