Referrals again

Janne Peltonen janne.peltonen at helsinki.fi
Mon Jul 2 12:00:18 EDT 2007 

On Mon, Jul 02, 2007 at 03:19:55PM +0200, Michael Menge wrote:
> Hi,
> 
> you could try do disable the validation of the certificate with
> 
> novalidate-cert

Thanks, yes, I could. :) But I'd like to have a functioning certificate
scheme here. I really wouldn't like anyone pretending to be, say,
i07.mappi.helsinki.fi with a certificate for foo.com to go without
notice... But buying a certificate for all my Murder backends doesn't
seem to me a viable option ;) (costs way too much).

Interesting. This particular problem couldn't even be solved by
switching to a traditional murder config (as opposed to most of the
problems I've encountered lately). That is, I /could/ arrange it so in a
traditional Murder that the frontends give the posti.mappi.helsinki.fi
certificate - and when they issue a referral to a backend, well, that
backend could give a certificate that matches its own hostname (in my
current setup, I can't do anything like that). But then, I'd have to buy
twenty-five certificates...

The old patch seemed to be against proxyd code (*sigh*). I made a new
patch (against imapd code) that should work for 2.3.8. It's essentially
the same patch that has been in production at PSU for a long time, so it
should be safe... I've got it attached in case anybody else is
interested.


--Janne
-- 
Janne Peltonen <janne.peltonen at helsinki.fi>
-------------- next part --------------
diff -Naur cyrus-imapd-2.3.8.orig/imap/imapd.c cyrus-imapd-2.3.8/imap/imapd.c
--- cyrus-imapd-2.3.8.orig/imap/imapd.c	2007-06-30 17:27:48.000000000 +0300
+++ cyrus-imapd-2.3.8/imap/imapd.c	2007-07-02 18:37:02.000000000 +0300
@@ -528,7 +528,7 @@
     backend_cached = NULL;
     backend_inbox = backend_current = NULL;
     proxy_cmdcnt = 0;
-    disable_referrals = 0;
+    disable_referrals = config_getswitch(IMAPOPT_PROXYD_DISABLE_MAILBOX_REFERRALS);
     supports_referrals = 0;
 
     if (imapd_mailbox) {
@@ -2638,6 +2638,10 @@
 
     prot_printf(imapd_out, CAPA_POSTAUTH_STRING);
 
+    if (config_getswitch(IMAPOPT_PROXYD_DISABLE_MAILBOX_REFERRALS) == 0) {
+	prot_printf(imapd_out, " MAILBOX-REFERRALS");
+    }
+ 		
     if (idle_enabled()) {
 	prot_printf(imapd_out, " IDLE");
     }
diff -Naur cyrus-imapd-2.3.8.orig/imap/version.h cyrus-imapd-2.3.8/imap/version.h
--- cyrus-imapd-2.3.8.orig/imap/version.h	2007-02-06 20:07:42.000000000 +0200
+++ cyrus-imapd-2.3.8/imap/version.h	2007-07-02 18:35:42.000000000 +0300
@@ -63,7 +63,7 @@
 #define CAPA_PREAUTH_STRING "IMAP4 IMAP4rev1 LITERAL+ ID"
 
 #define CAPA_POSTAUTH_STRING " ACL RIGHTS=kxte QUOTA " \
-	"MAILBOX-REFERRALS NAMESPACE UIDPLUS " \
+	"NAMESPACE UIDPLUS " \
 	"NO_ATOMIC_RENAME UNSELECT " \
 	"CHILDREN MULTIAPPEND BINARY " \
 	"SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES " \
diff -Naur cyrus-imapd-2.3.8.orig/lib/imapoptions cyrus-imapd-2.3.8/lib/imapoptions
--- cyrus-imapd-2.3.8.orig/lib/imapoptions	2007-06-30 17:27:48.000000000 +0300
+++ cyrus-imapd-2.3.8/lib/imapoptions	2007-07-02 18:38:27.000000000 +0300
@@ -817,6 +817,10 @@
    connections that these referrals would cause, thus resulting in a higher
    authentication load on the respective backend server. */
 
+{ "proxyd_disable_mailbox_referrals", 0, SWITCH }
+/* Set to true to disable the use of mailbox-referrals on the
+   proxy servers.*/
+
 { "proxyservers", NULL, STRING }
 /* A list of users and groups that are allowed to proxy for other
    users, separated by spaces.  Any user listed in this will be

More information about the Info-cyrus mailing list