On Fri, 26 Dec 2003, Christian Schulte wrote:
Kendrick Vargas schrieb:
I tried adding "defaultdomain: fakedomain.com" and even setting "servername: fakedomain.com" without it making a difference. Any other suggestions?
I have
servername: imap.somename.com admins: someadmin
and no default domain! If I login as "someadmin" mysql auxprop plugin will query for "[EMAIL PROTECTED]" and after authentication this will be the global admin "someadmin" from the admins line with all rights.
This tends to go against the docs (as well as what everyone else is saying). However, I decided to try it, and it just doesn't work for me. I can log in as the user, but I can't create miscellaneous mailboxes. Which server version are you using? I'm on 2.2.2-BETA.
-peace
The imapd with which I do this is bound to localhost 127.0.0.1 and there this works. You are right that if I change it to bind to a public accessible interface it does not work anymore for some reason. When I change it to a public interface login-lookups will be done by the domain of the reverse-dns domain from that interface or taken from the servername configuration if no lookup succeedes. For me the servername directive played a role and I think /etc/hostname also had influence here if it is not fully qualified (mainly running hostname did not show a domain) ! Say if I bind imapd to 1.2.3.4 and reverse-dns tells 1.2.3.4 has name imap.somedomain.com the lookup will be done to [EMAIL PROTECTED] for unqualified logins (host gets stripped). If 1.2.3.4 reverse-dns name would be something unqualified so that the host-name stripping mechanism cannot correctly construct the domain, behaviour again changes but I do not remember what then happens exactly. I really tried a lot to get global admin rights from the outside one year ago. I ran the relevant code under gdb many times trying to understand what exactly changes if connections do not come from localhost anymore and I remember I somehow could prove that nobody ever will be able to get global admin rights from the outside for me. At this point I somehow liked the possibility to not let a global admin login when not connecting to localhost for security reasons that much that I did not want to change that behaviour anymore :-)
Since you enabled virtdomains why do you still want unqualified logins if not due upgrading reasons from an old installation with unqualified logins ? This all only has to do with unqualified logins which I do not want/need except for the global admin. If someone plans on changing the behaviour with the global admin and defaultdomain I would really like to keep the ability to not let a global admin in if not connecting to localhost and of course there should be a note about the change so that next time updating cyrus I do not open up a security hole I spent hours to prove that its greatly closed and safe :-)
-- Christian
