Nikolaus Rath schrieb: > Hello, > > Apparently (http://wiki.exim.org/CyrusImap) I need to let lmtpd accept > connections from localhost as pre-authenticated to make cyrus and exim > work nicely together. > > Can someone explain what this actually means security wise? I.e. what > could a malicious user on localhost do with a pre-authed connection? He can put/deliver mail in whatever mailbox. The other side: If you have a "malicious unix user" on your Cyrus Box, you'll have a bunch of another problems, far aside from delivering mails to every mailbox... Delivering mails from localhost to localhost via lmtp with authentication has the problem that the sending side does need to now the credential. If the sending side knows that credential, a "malicious user" does have access to it because the sending side is on the same box, the same container, ... Just my $0.02, Pascal -- Pascal Gienger University of Konstanz, IT Services Department ("Rechenzentrum") Electronic Communications and Web Services Building V, Room V404, Phone +49 7531 88 5048, Fax +49 7531 88 3739 ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
