Ban some users from accessing IMAP
Dave McMurtrie
dave64 at andrew.cmu.edu
Mon Apr 28 12:47:29 EDT 2014
Sorry for the top-post...
We had exactly this requirement, so Ken added the user_deny database a couple years ago. Coincidentally, it was added in the 2.3.16 release, so you're set there.
The good news is that user_deny.db does exactly what you want. It allows you to deny any specific service to a valid user, even if they can successfully authenticate to your Cyrus server.
The bad news is that there's no utility that will add things to the user_deny database for you. I wrote a web interface that we use here. You'll need to do something similar. You could probably use cyr_dbtool or write a script to populate user_deny.db. The format of it is described here: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/internal/database-formats.php (we weren't publishing the internal stuff for earlier versions of Cyrus, but the user_deny.db is still the same).
Thanks!
Dave
________________________________________
From: info-cyrus-bounces+dave64=andrew.cmu.edu at lists.andrew.cmu.edu [info-cyrus-bounces+dave64=andrew.cmu.edu at lists.andrew.cmu.edu] on behalf of Jason L Tibbitts III [tibbs at math.uh.edu]
Sent: Monday, April 28, 2014 12:18 PM
To: info-cyrus at lists.andrew.cmu.edu
Subject: Ban some users from accessing IMAP
I have a pretty simple cyrus setup; I have a long-running 2.3.16 install
on RHEL5 (one day I'll update), with authentication handled by
cyrus-sasl 2.1.22 and everything authenticating to a kerberos server.
What I would like to do is ban some valid users from accessing IMAP.
We've had a rash of users falling victim to phishing attacks and would
like to simply prevent those users from any remote access. So they need
a valid kerberos principal in order to access desktops here, but would
lose IMAP access. (Need to ban remote SSH access as well, but that's
trivial with DenyGroups).
I know this probably isn't strictly a Cyrus IMAPd thing, but I figure
some folks must have run into this kind of requirement before. I
realize I also need to restrict SMTP logins as well, but that goes
through SASL and the Kerberos server as well so if the solution involves
either of those then perhaps I get it for free.
- J<
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
More information about the Info-cyrus
mailing list