On 09/19/2017 11:31 AM, Michael Sofka wrote:
On 09/19/2017 10:28 AM, Ken Murchison wrote:
I believe that is it prior to authentication, based on my notes:
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2010-June/033119.html
user_deny.db is NOT checked prior to completion of LOGIN
authentication, although it probably could/should. It works for POP3
USER/PASS because user_deny.db is checked in the command processing
loop, so it happens between the USER and PASS commands.
Oh well. I agree that it would be a useful check before login
authentication takes place.
There IS a check during the SASL proxy policy callback, but that isn't
used for protocol-specific plaintext authentication commands. I just
tested a quick patch which moved the check into the user
canonicalization callback (which IS used my IMAP LOGIN, etc) and it
works as expected. I would need to do further testing to make sure
there aren't any unintended consequences.
Meanwhile, any more comprehensive examples or documentation?
https://www.cyrusimap.org/imap/concepts/deployment/databases.html#user-access-user-deny-db
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
