Re: [Dovecot] Disabling users whilst still allowing logins with a 'master password'
On May 5, 2009, at 10:24 AM, Dominic Hargreaves wrote: On Fri, May 01, 2009 at 04:38:46PM -0400, Timo Sirainen wrote: But, anyway, how about using mail_executable script that checks if the logging in user is a master or user not, and if not check if the user is in some deny database. http://wiki.dovecot.org/PostLoginScripting One question about thie mechanism that isn't made explicit, although certainly implied by the examples: are $USER and $IP guaranteed to exist and be sanitised? Yes.
Re: [Dovecot] Disabling users whilst still allowing logins with a 'master password'
On Fri, May 01, 2009 at 04:38:46PM -0400, Timo Sirainen wrote: > But, anyway, how about using mail_executable script that checks if the > logging in user is a master or user not, and if not check if the user is > in some deny database. http://wiki.dovecot.org/PostLoginScripting One question about thie mechanism that isn't made explicit, although certainly implied by the examples: are $USER and $IP guaranteed to exist and be sanitised? Thanks, Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford
Re: [Dovecot] Disabling users whilst still allowing logins with a 'master password'
On Fri, May 01, 2009 at 04:38:46PM -0400, Timo Sirainen wrote: > GSSAPI code is a bit of a mystery to me. :) I guess it would be possible > to change it like that. > > But, anyway, how about using mail_executable script that checks if the > logging in user is a master or user not, and if not check if the user is > in some deny database. http://wiki.dovecot.org/PostLoginScripting Yes, I think that's going to be the best idea. Thanks for pointing out what seems pretty obvious now :) Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford
Re: [Dovecot] Disabling users whilst still allowing logins with a 'master password'
On Thu, 2009-04-30 at 17:33 +0100, Dominic Hargreaves wrote: > It would seem to be generally useful to be able to check GSSAPI logins > against a deny passdb, but is this a valid code change? GSSAPI code is a bit of a mystery to me. :) I guess it would be possible to change it like that. But, anyway, how about using mail_executable script that checks if the logging in user is a master or user not, and if not check if the user is in some deny database. http://wiki.dovecot.org/PostLoginScripting signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Disabling users whilst still allowing logins with a 'master password'
Hi Dominic, > Normally to disable logins for a user we chmod their mail store to 0 > so they can't access it, which has the same effect, but this obviously > also prevents the master password from being able to access it. Would it be feasible to chown the mailstore to some special user and use the account of that user to access the mailbox instead of the master password? Or, alternatively, run a second instance of dovecot-imapd (running as that special) to let the migration process access the mailboxes? Not very pretty, but since this is only for migration, I'd say it would suffice if it works? Gr. Matthijs signature.asc Description: Digital signature