That's going to be the case on all versions of Cyrus - admins have quite a lot of "root"-like power, and the @domain limitation is quite lightweight as you can see!
I would recommend running a completely separate Cyrus instance per zone of control if this is a concern - while it would be nice to lock down all the ways in which admins are powerful, realistically it's a ton of work.
(the usual "pull requests welcome" of course - I wouldn't object to making boundaries around domain admins solid, but I don't have the dev cycles to throw at it)
Bron.
On Mon, 25 Sep 2017, at 18:19, Marco wrote:
Hello,I run Cyrus-IMAPD 2.4.17 with many virtual domains:virtdomains: useridI configured a domain administrator:admins: admin@xxxxxxxxxxxWith this account I can LIST all accounts in example.com domain only, asexpected.Let suppose the Cyrus-IMAPD server stores also accounts for otherdomains, such as example2.com domain.Well, I see that I can SASL PLAIN login using admin@xxxxxxxxxxx onexample2.com accounts too, if I know their names. I can't understand whythis could happen. It seems a security issue.Is there a way to prevent this issue without modifying ACL on allaccounts?Thank youMarco----Cyrus Home Page: http://www.cyrusimap.org/List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/To Unsubscribe:
--
Bron Gondwana, CEO, FastMail Pty Ltd
brong@xxxxxxxxxxxxxxxx
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
