SASL login as another user - unexpected behavior on cyrus 2.4.17

Marco falon at
Mon Sep 25 04:19:00 EDT 2017


  I run Cyrus-IMAPD 2.4.17 with many virtual domains:

	virtdomains: userid

I configured a domain administrator:

	admins: admin at

With this account I can LIST all accounts in domain only, as 

Let suppose the Cyrus-IMAPD server stores also accounts for other 
domains, such as domain.

Well, I see that I can SASL PLAIN login using admin at on accounts too, if I know their names. I can't understand why 
this could happen. It seems a security issue.

Is there a way to prevent this issue without modifying ACL on all accounts?

Thank you

More information about the Info-cyrus mailing list