IMAPS with extra authorization.

Dan White dwhite at olp.net
Mon Jul 26 09:27:52 EDT 2010


On 26/07/10 03:27 -0500, Syren Baran wrote:
>Am Samstag, den 24.07.2010, 00:43 -0500 schrieb Dan White:
>> >
>> >Would be a nice and clean solution to set the service name for "imapd -s"
>> >to "imaps" and just use a second pam file for that service.
>>
>> The service name that gets passed to saslauthd is taken from the
>> sasl_server_init call inside the individual servers.  So it's always 'imap'
>> for all services started by imapd, and 'pop3' for all pop3d services.
>>
>> I don't think it would be possible without a modification to the sasl code.
>
>Hmm,
>just had a quick look at the code and didnt test it since we are using
>the version from the repos.
>
>Shouldnt this be sufficient?
>
>---imapd.diff---
>123a124
>> static char* servicename="imap";
>676c677
><     while ((opt = getopt(argc, argv, "sp:N")) != EOF) {
>---
>>     while ((opt = getopt(argc, argv, "sp:NS:")) != EOF) {
>692a694,696
>>       case 'S': /*set service name, needs pam file with same name*/
>>               servicename=malloc(strlen(optarg)+1);
>>               strcpy(servicename,optarg);
>783c787
><     if (sasl_server_new("imap", config_servername,
>---
>>     if (sasl_server_new(servicename, config_servername,
>---imapd.dif---
>
>Didnt do a free on the pointer, should be cleared anyway after the fork
>exits.
>
>But as i said, i just had a quick look at the code.

I think you'll cause some issues with changing the SASL service name, since
things like the kerberos principal that's used, and the sasl config file
name are influenced by it.

Another approach would be to introduce a sasl parameter, like
"pwcheck_service_name" that could be set that only influences the service
name as it gets passed to saslauthd or authdaemon, rather than changing it
in the sasl_server_new call.

-- 
Dan White


More information about the Info-cyrus mailing list