Philippe Kueck:
> Hi all,
>
> a while ago I thought it was a good opportunity to restrict our cyrus
> imapd access control by only allowing the admin user ("cyrus") and the
> mailbox owner itself to post to a mailbox, e.g.
>
> > user.foo: foo: lrswipkxtecdan
> > user.foo: cyrus: p
> > user.foo.bar: foo: lrswipkxtecdan
> > user.foo.bar: cyrus: p
> > ...
>
> Before, "anyone" had the access right to post ("p") to mailboxes.
>
> Now, when delivering directly to a folder using sub-addressing (e.g.
> [email protected]) postfix is unable to do so and the mail gets
> delivered to the user's inbox, instead. At least when using lmtp:
>
> > mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
> When using cyrus-deliver it works fine.
>
> > mailbox_transport = cyrus
> > cyrus unix - n n - - pipe
> > user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -a cyrus -r ${sender} -m
> > ${extension} ${user}
>
> The lmtp dialogue between postfix and cyrus differs from the dialogue
> between cyrus-deliver and cyrus by the MAIL FROM line:
>
> postfix:
> > MAIL FROM:<[email protected]> SIZE=123
>
> cyrus-deliver:
> > MAIL FROM:<[email protected]> AUTH=cyrus
>
> So, obviously, the "AUTH" keyword is it.
>
> I didn't find a way to set this keyword, the closest match is postfix
> sending an "AUTH=<>" when using sasl.
>
> So, afaics I had three options:
> 1. use cyrus-deliver instead of lmtp or
> 2. allow "anyone" to post messages to mailboxes or
> 3. do something about it.
>
> I chose the third option and wrote a - probably dirty - patch[1] to make
> postfix send a dummy AUTH together with MAIL FROM. Works fine for me.
>
> Is there a better solution that didn't come to my mind yet?
Implement smtp_command_maps/lmtp_command_maps? That would take care
of all future perversion.
Wietse
