2.3.14: posting to shared mailbox results in 550 Permission denied

Simon Matter simon.matter at invoca.ch
Fri May 29 04:48:59 EDT 2009 

> --On 29. Mai 2009 10:12:32 +0200 Simon Matter <simon.matter at invoca.ch>
> wrote:
>
>>> I can confirm that anonymous posting to a shared folder with 'anonymous
>>> p' rights works on the 64bit version but not on the 32bit version. So
>>> there must be a change between 2.3.13 and 2.3.14 which breaks something
>>> on 32bit systems but not on 64bit.
>>
>> Is there anybody around who can confirm this?
>
> We've always used the 'anyone p' right for this purpose, that's why I
> didn't notice anything ... I just set up a mailbox to test this:
>
> cyrus.rrz.uni-koeln.de> lam posting
> anonymous lrsp
> anyone lrs
>
> Not surprisingly, the result is the same one you observed: it only works
> when 'anyone' has the 'p' right. (we're running a 32bit system)
>
> So where does it say that the 'anonymous p' right is *supposed* to work?
> The only reference I've been able to find is overview.html, and that isn't
> particularly clear. What's the harm in granting 'anyone p' instead?

Well, there are different reasons for me why this should be fixed:

1) It's a regression. It has worked for years and now it doesn't and it
seems nobody really knows why and no change is documented anywhere (or I
didn't find it).

2) It works on 64bit builds but not on 32bit builds. That's the reason why
I didn't find it out for so long and clearly looks somehow broken to me.

3) ACL calculation is security sensitive and should really work as
documented and as those who wrote the code intended it to work.


The cyrus-imapd docs say:

Access Rights

    lrsp    The user can read the mailbox, and can post to it through the
            delivery system. Most delivery systems do not provide
            authentication, so the "p" right usually has meaning only for
            the "anonymous" user.

"anonymous" and "anyone"

    With any authorization mechanism, two special identifiers are defined.
    The identifier "anonymous" refers to the anonymous, or unauthenticated
    user. The identifier "anyone" refers to all users, including the
    anonymous user.


>From what I understand preauthed LMTP connections are considered
"anonymous" and therefore the p right to post to a shared folder is
enough. I don't remember all details but I think it is that with "anyone
p" rights every user on the server (including preauthed LMTP) can post to
the box, which may not be what you want. With only "anonymous p" rights,
LMTP can post but not IMAP users as long as you do not allow anonymous
IMAP. I think that's the point why "anonymous" exists.

Regards,
Simon

More information about the Info-cyrus mailing list