Cyrus admin access to user mailboxes
Janne Peltonen
janne.peltonen at helsinki.fi
Fri Sep 14 07:48:57 EDT 2007
On Fri, Sep 14, 2007 at 01:05:32PM +0200, Alain Spineux wrote:
> Most of imap client expect the credential you will use to have a
> personal INBOX, but admin user should not have INBOX.
> Anyway technicaly admin can read user's mailbox, but you have to write
> the IMAP client yourself, or find the good one :-).
> The best way is to create a new user and give him ACL on all mailboxes.
> I thing cyradmin will let you do :
>
> sam user/*@example.com newuser lrswipkxtecda
I'd say that the best way'd be to login as an admin user as the auth
user and the real user as the user... If you know how to speak imap, you
can do sth like
imtest -u <username> -a <adminusername> -m plain -t "" <hostname>
when it asks for a password, you give the admin user's password and
voilà, you're logged in with the access rights of <username>.
Now this uses a couple of facts of the imap system:
1) Users that are listed as admins in imapd.conf can pose as any user.
2) SASL has a mechanism that differentiates the username you use to
authenticate yourself as and the username that determines your access
rights.
So you have to use '-m plain -t ""' (for sasl PLAIN method with
STARTTLS) or "-m digest-md5" (for sasl DIGEST-MD5 method) or some other
sasl method; you cannot use "-m login" or skip the mechanism (because it
defaults to IMAP LOGIN) - the LOGIN "mechanism" is actually the IMAP
LOGIN command, with no semantics to differentiate the auth user and the
access user...
If you can find a more sophisticated imap client with an actual front
end to the imap protocol that support different auth and access ids,
please tell me too... ;)
--Janne Peltonen
Email admin
Univ. of Helsinki
>
> at once
>
> Regards
>
>
> On 9/14/07, jools at oss4all.plus.com <jools at oss4all.plus.com> wrote:
> > Hi All,
> >
> > Just a quick question regarding accessing mailboxes via admin accounts. I
> > have Cyrus configured with 4 admins named in the imapd.conf file but I
> > can't find how to access users accounts which we have to do under certain
> > circumstances. On exchange you'd log in with domain/user/mailboxowner to
> > gain access. What's the best method of doing with Cyrus?
> >
> > Thanks in advance,
> >
> > Jools
> >
> > ----
> > Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> >
>
>
> --
> Alain Spineux
> aspineux gmail com
> May the sources be with you
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
--
Janne Peltonen <janne.peltonen at helsinki.fi>
More information about the Info-cyrus
mailing list