On 3/16/21 10:02 AM, Michael Menge wrote:Quoting Neil Price <nprice@xxxxxxxxxx>:On 16/03/2021 2:35 pm, Nic Bernstein wrote:So if I use this command I will connect to my own Inbox as the Admin user:I gather there is no way of doing this from a generic client?
imtest -a admin -u nic imap.example.com
It can be done by other clients, but the SASL auth mech must support it.
e.g PLAIN does support proxy authentication, but LOGIN does not
for a list of features see
ghttps://www.sendmail.org/~ca/email/cyrus2/mechanisms.html
For example you could use telnet / openssl s_client
You only have base64 encode 'authzid\0authcid0\0passwd'It is (Cyrus)SASL specific not Cyrus-IMAP,
imapsync seems to have some way of doing it but perhaps it detects and uses cyrus specific code.
but AFAIK Gnu- and Dovecot-SASL do also support it. ;-)
Just to be clear, the ability to authenticate as one user but authorize as another is specific to the mechanism in use (as also explained in the 'imtest' manpage I referenced). However, if the purpose for an admin accessing another user's mailbox is to manipulate the messages or folders, then such split identity is not required. Any user with sufficient ACLs may SELECT another user's folders and do whatever their ACLs allow. This is not specific to Cyrus or any other server, as long as the server supports relevant RFCs.
Cheers,
-nic
Oh, and to reply to my own messages; I'll point out that the Cyrus documentation specifically mentions that one should exercise caution if logging in as admin. This is especially true with clients which present abstracted views of the folder hierarchy, like Thunderbird, or which tend to create "missing" folders, such as Drafts, Trash, Templates, etc.
This is because the admin user is not expected to be used as a typical client, but only to manage other users, via 'cyradm' or other tools. If one establishes an IMAP protocol connection as 'admin' with Thunderbird, and creates the folder 'Yadda' then a new folder will be created which is outside of the 'user/' prefix.
As is mentioned in the 'imapd.conf(5)' manpage:
Note that accounts used by users should not be administrators. Administrative accounts should not receive mail. That is, if user "jbRo" is a user reading mail, he should not also be in the admins line. Some problems may occur otherwise, most notably the ability of administrators to create top-level mailboxes visible to users, but not writable by users.Cheers,
-nic
-- Nic Bernstein nic@xxxxxxxxxxxxxxxx https://www.nicbernstein.com https://www.linkedin.com/in/nic-b-26577a178/
