On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote:
> I don't think there's any need to send "anonymous_username" to imap
> process? It just seems to want to know if the current user is anonymous
> or not. That same thing has been in my TODO list for a while already
> because ManageSieve could use that information too. So committed now:
> http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16
I just tried out this change and it does not replace the need for the
anonymous_username field. I only now fully understand the comment:
/* this is an anonymous login, either via ANONYMOUS
SASL mechanism or simply logging in as the anonymous
user via another mechanism */
Since the change does not distinguish between those two cases it breaks the
"authuser" access identifier for the anonymous user when he is logged in
non-anonymously. I would not really care about this edge case except that the
contributed implementation requires that the username in the IMAP URL matches
the authenticated user's username even for the "anonymous" and "authuser"
access identifiers, in violation of RFC 4467 section 4. (The implementation
requires a match because Dovecot does not (can not) reach into another user's
mail storage.) This means that the "anonymous" and "authuser" access
identifiers only work for the anonymous user in the implementation; your change
makes the "authuser" access identifier always fail for the anonymous user. The
anonymous_username field in the original contributed patch does distinguish
between SASL ANONYMOUS and logging in as the anonymous user via another
mechanism, so the "anonymous" and "authuser" access identifiers work properly
for the anonymous user (but not for any other user).
If you can teach me how to make urlfetch_url() access any user's mail storage
from an IMAP process logged in as a different user (subject to OS uid/gid
permission constraints), I can make "anonymous" and "authuser" work for all
users and use your change instead of the "anonymous_username" field.
Alternatively, you could edit your change to add the "anonymous" indication to
the auth reply only for SASL ANONYMOUS authentications rather than for all
anonymous-user authentications, unless that would cause trouble for ManageSieve.
