I've found a solution that didn't need anything fancy. Just needed to
re-read the detail a little more critically and read between the lines
and test :)
I ended up setting the following in imapd.conf
1. server_info: off
2. imapidresponse: 0
I didn't check to see which one did the trick but I'm guessing its
server_info: off. That seems like a more likely global setting to
prevent the finer information from being returning, suspect agnostic of
transport http, imapd, lmtp.
I a bit unclear on what the side effects may be for that imapidresponse
as it seems to suppress the potential information disclosure from the
server in relation to a ID command being sent to the server. Unsure if
that's "required" by IMAP clients or a nice to have but I'll monitor and
see if has any untoward side affects. If anyone has any real world
insight into what this is for and how it may be used legitimately by
clients that would be great.
On 2/10/2021 6:21 pm, AndrewHardy via Info wrote:
Hi All,
Does anyone know what Cyrus Caldav file is used to serve the unauthorised 401 error page that by default disclosed component/versioning and server name in the http response? Is there a way to customize/modify the content returned to clients on the caldav server?
I reverse proxy the service using Nginx but if I intercept error 401 in an attempt to modify the response inline, it prevents the basic authentication prompt from appearing for clients and therefore rightfully can’t access calendar.
I couldn’t find a simple answer in the docs so reaching out in case there’s something easy to do on the caldav server itself.
Thanks
Andrew
------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/Tbbc3f5eef79aaca8-M8cf9170c5b23eb97c4f620fc
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
