Why are only admins allowed to AUTH to lmtpd?

Lawrence Greenfield leg+ at andrew.cmu.edu
Fri Jan 3 15:37:35 EST 2003


--On Friday, January 03, 2003 12:48 PM -0700 "Kevin P. Fleming" 
<kpfleming at cox.net> wrote:

> This is all working fine, except that I had to add my dummy
> authentication user (which I create solely for Exim to authenticate
> itself to lmtpd with) to the "admins" entry in /etc/imapd.conf. I had to
> do this because lmptd specifically allows only admins to authenticate.
>
> Is there any particular reason why? It's not a big deal for me, but when
> I document this configuration for other people I'm sure this will raise
> some eyebrows.

Allowing anonymous users to directly submit via LMTP would defeat any 
accounting done in the MTA and allow for perfectly forged Received headers. 
Allowing arbitrary users to authenticate could be just as bad with the 
current code, though it could be modified---but it's not clear it's worth 
it.

Since there are some LMTP extensions like IGNOREQUOTA that require 
administrative rights, it doesn't seem worthwhile to try to get finer 
grained authorization than "lmtp_admins".

Larry





More information about the Info-cyrus mailing list