Security impact of lmtpd with pre-auth
Pascal Gienger
Pascal.Gienger at uni-konstanz.de
Wed Jul 8 02:02:19 EDT 2009
Nikolaus Rath schrieb:
> Hello,
>
> Apparently (http://wiki.exim.org/CyrusImap) I need to let lmtpd accept
> connections from localhost as pre-authenticated to make cyrus and exim
> work nicely together.
>
> Can someone explain what this actually means security wise? I.e. what
> could a malicious user on localhost do with a pre-authed connection?
He can put/deliver mail in whatever mailbox.
The other side: If you have a "malicious unix user" on your Cyrus Box,
you'll have a bunch of another problems, far aside from delivering mails
to every mailbox...
Delivering mails from localhost to localhost via lmtp with
authentication has the problem that the sending side does need to now
the credential. If the sending side knows that credential, a "malicious
user" does have access to it because the sending side is on the same
box, the same container, ...
Just my $0.02,
Pascal
--
Pascal Gienger
University of Konstanz, IT Services Department ("Rechenzentrum")
Electronic Communications and Web Services
Building V, Room V404, Phone +49 7531 88 5048, Fax +49 7531 88 3739
More information about the Info-cyrus
mailing list