RE: Ban some users from accessing IMAP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry for the top-post...

We had exactly this requirement, so Ken added the user_deny database a couple years ago.  Coincidentally, it was added in the 2.3.16 release, so you're set there.

The good news is that user_deny.db does exactly what you want.  It allows you to deny any specific service to a valid user, even if they can successfully authenticate to your Cyrus server.

The bad news is that there's no utility that will add things to the user_deny database for you.  I wrote a web interface that we use here.  You'll need to do something similar.  You could probably use cyr_dbtool or write a script to populate user_deny.db.  The format of it is described here: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/internal/database-formats.php  (we weren't publishing the internal stuff for earlier versions of Cyrus, but the user_deny.db is still the same).

Thanks!

Dave

________________________________________
From: info-cyrus-bounces+dave64=andrew.cmu.edu@xxxxxxxxxxxxxxxxxxxx [info-cyrus-bounces+dave64=andrew.cmu.edu@xxxxxxxxxxxxxxxxxxxx] on behalf of Jason L Tibbitts III [tibbs@xxxxxxxxxxx]
Sent: Monday, April 28, 2014 12:18 PM
To: info-cyrus@xxxxxxxxxxxxxxxxxxxx
Subject: Ban some users from accessing IMAP

I have a pretty simple cyrus setup; I have a long-running 2.3.16 install
on RHEL5 (one day I'll update), with authentication handled by
cyrus-sasl 2.1.22 and everything authenticating to a kerberos server.

What I would like to do is ban some valid users from accessing IMAP.
We've had a rash of users falling victim to phishing attacks and would
like to simply prevent those users from any remote access.  So they need
a valid kerberos principal in order to access desktops here, but would
lose IMAP access.  (Need to ban remote SSH access as well, but that's
trivial with DenyGroups).

I know this probably isn't strictly a Cyrus IMAPd thing, but I figure
some folks must have run into this kind of requirement before.  I
realize I also need to restrict SMTP logins as well, but that goes
through SASL and the Kerberos server as well so if the solution involves
either of those then perhaps I get it for free.

 - J<
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux