Using user_deny.db

Ken Murchison murch at
Tue Sep 19 11:45:49 EDT 2017

On 09/19/2017 11:31 AM, Michael Sofka wrote:
> On 09/19/2017 10:28 AM, Ken Murchison wrote:
>>> I believe that is it prior to authentication, based on my notes:
>> user_deny.db is NOT checked prior to completion of LOGIN 
>> authentication, although it probably could/should.  It works for POP3 
>> USER/PASS because user_deny.db is checked in the command processing 
>> loop, so it happens between the USER and PASS commands.
> Oh well.  I agree that it would be a useful check before login 
> authentication takes place.

There IS a check during the SASL proxy policy callback, but that isn't 
used for protocol-specific plaintext authentication commands. I just 
tested a quick patch which moved the check into the user 
canonicalization callback (which IS used my IMAP LOGIN, etc) and it 
works as expected.  I would need to do further testing to make sure 
there aren't any unintended consequences.

> Meanwhile, any more comprehensive examples or documentation?

Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd

More information about the Info-cyrus mailing list