Delivery to Shared Folders via authenticated SMTP then LMTP

Duncan Gibb Duncan.Gibb at SiriusIT.co.uk
Tue Apr 21 10:55:44 EDT 2009 

Andy Bennett wrote:

AB> I'm running a Debian etch server with the cyrus-2.2 (2.2.13-10)
AB> packages installed. I'm using exim 4.63 as my MTA.

OK.  Not an untypical deployment...

AB> I have no "postuser:" setting in /etc/imapd.conf so I'm assuming
AB> that it's default and I can address shared folders with the
AB> "+xxx at domain" address.

The default postuser is the empty string, hence the need for "anyone"
ACLs you're seeing.

AB> I can insert and delete messages in shared.test via IMAP when I'm
AB> authenticaed as andyjpb at ashurst.eu.org

AB> I connected to my SMTP server, authenticated as
AB> andyjpb at ashurst.eu.org and sent a message to
AB> "+shared.test at ashurst.eu.org".

AB> The message was accepted by exim and then immediately bounced.

AB> MAIL FROM:<andyjpb at ashurst.eu.org> SIZE=2523
AB> RCPT TO:<+shared.test at ashurst.eu.org>
AB> 550-You do not have permission to post a message to this mailbox.

AB> I don't see an AUTH line tho... I'm authenticating as exim who
AB> should be able to authorise as andyjpb at ashurst.eu.org. How can I
AB> be sure that that is happening?

You should have lines in syslog (/var/log/maillog) from lmtpd of the form

  cyrus/lmtp[<PID>]: login: <MTA.HOSTNAME> [<MTA.IP>] <authzid>
      <SASL.MECH> User logged in

The authzid there will be the user as whom Exim authorized.  But I don't
think that's the problem (see below).

AB>    client_send = $authenticated_sender^exim^<PASSWORD>

AB> I think that should send the exim authenticated sender along
AB> as the authorisation and exim and <PASSWORD> along as the
AB> authentication.

It should, but not in the way you want.  The SASL authzid isn't what
lmtpd evaluates ACLs against.  To do what I think you want (ACLs for
delivery to shared mailboxes by users employing SMTPA), you need Exim to
pass the authenticated user from the SMTP transaction with the MUA into
the _MAIL_ line of the LMTP conversation.  You want Exim to say:

 MAIL FROM:<andyjpb at ashurst.eu.org> AUTH=<andyjpb at ashurst.eu.org>

To do that you probably want to add

  authenticated_sender = $authenticated_id

to the definition of your lmtp relay.

You can check Cyrus is doing what you expect by using openssl s_client
or gnutls-cli to have a manual LMTP conversation with it:

 <-  220 your.cyrus.box LMTP Cyrus v2.3.13-Sirius-2009:2.3.13-5 ready
 ->  lhlo authtest
 <-  250-your.cyrus.box
 <-  250-[..]
 <-  250-AUTH PLAIN LOGIN
 ->  auth plain base64.nonsense.or.go.back.to.cram-md5
 <-  235 Authenticated!
 ->  mail from:<arbitrary at mail.addr> AUTH=<andyjpb at ashurst.eu.org>
 <-  250 2.1.0 ok
 ->  rcpt to:<+shared.test at ashurst.eu.org>
 <-  250 2.1.5 ok
 ->  data
 <-  354 go ahead

etc...


Cheers


Duncan

-- 
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team
https://alioth.debian.org/projects/pkg-cyrus-imapd/

More information about the Info-cyrus mailing list