SASL login as another user - unexpected behavior on cyrus 2.4.17

Bron Gondwana brong at
Mon Sep 25 20:16:23 EDT 2017

That's going to be the case on all versions of Cyrus - admins have quite
a lot of "root"-like power, and the @domain limitation is quite
lightweight as you can see!
I would recommend running a completely separate Cyrus instance per
zone of control if this is a concern - while it would be nice to lock
down all the ways in which admins are powerful, realistically it's a
ton of work.
(the usual "pull requests welcome" of course - I wouldn't object to
making boundaries around domain admins solid, but I don't have the dev
cycles to throw at it)

On Mon, 25 Sep 2017, at 18:19, Marco wrote:
> Hello,
>   I run Cyrus-IMAPD 2.4.17 with many virtual domains:
> virtdomains: userid
> I configured a domain administrator:
> admins: admin at
> With this account I can LIST all accounts in domain
> only, as> expected.
> Let suppose the Cyrus-IMAPD server stores also accounts for other
> domains, such as domain.
> Well, I see that I can SASL PLAIN login using admin at on
> accounts too, if I know their names. I can't
> understand why> this could happen. It seems a security issue.
> Is there a way to prevent this issue without modifying ACL on all
> accounts?
> Thank you
> Marco
> ----
> Cyrus Home Page:
> List Archives/Info:> To Unsubscribe:

  Bron Gondwana, CEO, FastMail Pty Ltd
  brong at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Info-cyrus mailing list