Restrict IMAP admin logins in Cyrus
Damijan Senčar
damijan at sencar.org
Thu Jan 13 03:33:41 EST 2011
On 01/13/2011 02:35 AM, Lucas Zinato Carraro wrote:
> Its possible to limit imap admin logins ?
>
> For example limit admin only for a specific IP.
>
>
> Exist a way to grant permission for a specific user for
> administratives tasks but limit this user
> to delete accounts ?
>
>
> Regards
> Zinato
>
>
>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
You may want to setup your conf files like:
/etc/cyrus.conf
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:8888" prefork=0
imap cmd="imapd" listen="imap"
listen="your-imapd-server-ip:imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=1
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntps cmd="nntpd -s" listen="nntps" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd="cyr_expire -E 3" at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
/etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
## comment for local admins: cyrus
#admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
allowplaintext: yes
lmtp_downcase_rcpt: yes
defaultdomain: your-domain
autocreatequota: 100000
quotawarn: 90
servername: your-server
sasl_saslauthd_path: /var/run/saslauthd/mux
berkeley_cachesize: 16384
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking af13
/etc/imapd-local.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
allowplaintext: yes
lmtp_downcase_rcpt: yes
defaultdomain: your-domain
quotawarn: 90
servername: your-server
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking af13
As you see your default imapd.conf config file dosen't have admin
account defined.
Admin accunt is defined in imapd-local.conf.
You can access your admin account like:
cyradm --user cyrus --port 8888 localhost
You can changet localhost to your host IP and control access to cyrus
admin port with e.g. iptables.
Best regards,
Damijan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20110113/e6cc80f4/attachment-0001.html
More information about the Info-cyrus
mailing list