The admins key on imapd.conf

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Sat Mar 14 16:24:56 EDT 2015


On 2015-03-10 20:25, Niels Dettenbach wrote:
> Am Dienstag, 10. März 2015, 17:48:44 schrieb Manuel Vazquez:
>> I understand by the official documentation,this users described there 
>> are
>> can see the mailboxes of the all the users present in the server.
>> 
>> Do it is correct?
> Beside this, the admin user(s) are able to create mailboxes / folders 
> and
> maintaining access rights and quotas including delete folders after 
> setting
> the appropiate rights to it.
> 
> It is important to understand the role of the admin user - without i 
> assume it
> would be nearly impossible to set up and maintain a cyrus setup.
> 

True, but for the autocreate feature set we have today ;-)

It needs to be understood that any user listed in `admins` setting has 
-- implicitly -- the 'a' right on *all* mailboxes.

The 'a' right does not imply any other rights ('l', 'r', 's' most 
prominently, though an "admin" doesn't require 'l' specifically in order 
to be able to have a mailbox appear in a list of mailboxes), but does 
impose the right to SETACL (including 'l', 'r' and 's', and whichever 
other ones!).

`admins` should be limited very, *very* much, to a rather select group 
of people/services with a proverbial ``$surname-admin`` account -- it is 
the sysadmin/root equivalent of a system otherwise normally a sealed 
system.

Kind regards,

Jeroen van Meeuwen

-- 
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +41 79 951 9003
w: https://kolabsystems.com

pgp: 9342 BF08


More information about the Info-cyrus mailing list