Sorry for the top-post... We had exactly this requirement, so Ken added the user_deny database a couple years ago. Coincidentally, it was added in the 2.3.16 release, so you're set there. The good news is that user_deny.db does exactly what you want. It allows you to deny any specific service to a valid user, even if they can successfully authenticate to your Cyrus server. The bad news is that there's no utility that will add things to the user_deny database for you. I wrote a web interface that we use here. You'll need to do something similar. You could probably use cyr_dbtool or write a script to populate user_deny.db. The format of it is described here: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/internal/database-formats.php (we weren't publishing the internal stuff for earlier versions of Cyrus, but the user_deny.db is still the same). Thanks! Dave ________________________________________ From: info-cyrus-bounces+dave64=andrew.cmu.edu@xxxxxxxxxxxxxxxxxxxx [info-cyrus-bounces+dave64=andrew.cmu.edu@xxxxxxxxxxxxxxxxxxxx] on behalf of Jason L Tibbitts III [tibbs@xxxxxxxxxxx] Sent: Monday, April 28, 2014 12:18 PM To: info-cyrus@xxxxxxxxxxxxxxxxxxxx Subject: Ban some users from accessing IMAP I have a pretty simple cyrus setup; I have a long-running 2.3.16 install on RHEL5 (one day I'll update), with authentication handled by cyrus-sasl 2.1.22 and everything authenticating to a kerberos server. What I would like to do is ban some valid users from accessing IMAP. We've had a rash of users falling victim to phishing attacks and would like to simply prevent those users from any remote access. So they need a valid kerberos principal in order to access desktops here, but would lose IMAP access. (Need to ban remote SSH access as well, but that's trivial with DenyGroups). I know this probably isn't strictly a Cyrus IMAPd thing, but I figure some folks must have run into this kind of requirement before. I realize I also need to restrict SMTP logins as well, but that goes through SASL and the Kerberos server as well so if the solution involves either of those then perhaps I get it for free. - J< ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
