Hi all,
a while ago I thought it was a good opportunity to restrict our cyrus
imapd access control by only allowing the admin user ("cyrus") and the
mailbox owner itself to post to a mailbox, e.g.
> user.foo: foo: lrswipkxtecdan
> user.foo: cyrus: p
> user.foo.bar: foo: lrswipkxtecdan
> user.foo.bar: cyrus: p
> ...
Before, "anyone" had the access right to post ("p") to mailboxes.
Now, when delivering directly to a folder using sub-addressing (e.g.
[email protected]) postfix is unable to do so and the mail gets
delivered to the user's inbox, instead. At least when using lmtp:
> mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
When using cyrus-deliver it works fine.
> mailbox_transport = cyrus
> cyrus unix - n n - - pipe
> user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -a cyrus -r ${sender} -m
> ${extension} ${user}
The lmtp dialogue between postfix and cyrus differs from the dialogue
between cyrus-deliver and cyrus by the MAIL FROM line:
postfix:
> MAIL FROM:<[email protected]> SIZE=123
cyrus-deliver:
> MAIL FROM:<[email protected]> AUTH=cyrus
So, obviously, the "AUTH" keyword is it.
I didn't find a way to set this keyword, the closest match is postfix
sending an "AUTH=<>" when using sasl.
So, afaics I had three options:
1. use cyrus-deliver instead of lmtp or
2. allow "anyone" to post messages to mailboxes or
3. do something about it.
I chose the third option and wrote a - probably dirty - patch[1] to make
postfix send a dummy AUTH together with MAIL FROM. Works fine for me.
Is there a better solution that didn't come to my mind yet?
Kind regards
Philippe
[1] https://gist.github.com/philfry/2885159f3f5eb062db5f80d7088ef7c8
