Using user_deny.db
Ken Murchison
murch at fastmail.com
Tue Sep 19 11:45:49 EDT 2017
On 09/19/2017 11:31 AM, Michael Sofka wrote:
> On 09/19/2017 10:28 AM, Ken Murchison wrote:
>>> I believe that is it prior to authentication, based on my notes:
>>>
>>> https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-June/033119.html
>>
>> user_deny.db is NOT checked prior to completion of LOGIN
>> authentication, although it probably could/should. It works for POP3
>> USER/PASS because user_deny.db is checked in the command processing
>> loop, so it happens between the USER and PASS commands.
>
> Oh well. I agree that it would be a useful check before login
> authentication takes place.
There IS a check during the SASL proxy policy callback, but that isn't
used for protocol-specific plaintext authentication commands. I just
tested a quick patch which moved the check into the user
canonicalization callback (which IS used my IMAP LOGIN, etc) and it
works as expected. I would need to do further testing to make sure
there aren't any unintended consequences.
>
> Meanwhile, any more comprehensive examples or documentation?
https://www.cyrusimap.org/imap/concepts/deployment/databases.html#user-access-user-deny-db
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
More information about the Info-cyrus
mailing list