Re: creating user-mailboxes without cyradm
On Mon, Jan 27, 2003 at 12:28:56PM -0500, Ken Murchison wrote: is there a way to create INBOXes for users by IMAP-commands Sure, read RFC 2060. You'd do tag CREATE user/username How is this dealt with in respect to security and reliability? Just write a script that logs in and automatically creates mailboxes from randomly generated (user-) names until the storage is full. That's sort of making DOS attacks utterly easy. GH
Re: creating user-mailboxes without cyradm
On Wed, 5 Feb 2003, Hans Wilmer wrote: How is this dealt with in respect to security and reliability? Only admins can do this for any username, there is a config option that allows authenticated users to do this for their own mailbox, but no others. Just write a script that logs in and automatically creates mailboxes from randomly generated (user-) names until the storage is full. That's sort of making DOS attacks utterly easy. If your admins are trying to DOS you, you've got bigger problems. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: creating user-mailboxes without cyradm
On Wed, 5 Feb 2003, Hans Wilmer wrote: On Mon, Jan 27, 2003 at 12:28:56PM -0500, Ken Murchison wrote: is there a way to create INBOXes for users by IMAP-commands Sure, read RFC 2060. You'd do tag CREATE user/username How is this dealt with in respect to security and reliability? Just write a script that logs in and automatically creates mailboxes from randomly generated (user-) names until the storage is full. That's sort of making DOS attacks utterly easy. If a cyrus admin wants to DOS attack his/her own server, they're allowed to. If a regular user attempts to create top-level mailboxes, they'll get a NO permission denied or equivalent. Dave -- Dave McMurtrie, Systems Programmer University of Pittsburgh Computing Services and Systems Development, Development Services -- UNIX and VMS Services 717P Cathedral of Learning (412)-624-6413
Re: creating user-mailboxes without cyradm
Hans Wilmer wrote: Sure, read RFC 2060. You'd do tag CREATE user/username How is this dealt with in respect to security and reliability? Just write a script that logs in and automatically creates mailboxes from randomly generated (user-) names until the storage is full. That's sort of making DOS attacks utterly easy. Obviously you have to be authenticated as a user with privileges to create the folders. This is no different than saying you should connect to an IMAP server and append millions of messages -- the answer is still proper authentication and access controls. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: creating user-mailboxes without cyradm
On Wed, Feb 05, 2003 at 02:13:55PM -0500, Rob Siemborski wrote: How is this dealt with in respect to security and reliability? Only admins can do this for any username, there is a config option that allows authenticated users to do this for their own mailbox, but no others. Ah! THX, I've tried it now and found it working as it should :) full. That's sort of making DOS attacks utterly easy. If your admins are trying to DOS you, you've got bigger problems. Well, I'm always using the latest lart from cvs, in a prophylactic manner ;) GH
creating user-mailboxes without cyradm
Hello, is there a way to create INBOXes for users by IMAP-commands instead of using cyradm? I want to control the creation of mailboxes from a java-servlet. Another strange thing is, that I cannot use cyradm at all. I have set up cyrus to use sasl-auxprop authentication against a mysql-db. logging in to imap works fine using this authentication and the user listed as admin in /etc/imapd.conf was even able to create his own inbox using the CREATE-command in imap. But when I try to login to cyradm with this user it always looks like this: ---snip--- sh#: cyradm --user testuser 127.0.0.1 Password: cyradm: cannot authenticate to server with as testuser ---snip--- Anyone knows what is missing between 'with' and 'as'? Help would be great, Philipp
Re: creating user-mailboxes without cyradm
Philipp Leusmann wrote: Hello, is there a way to create INBOXes for users by IMAP-commands instead of using cyradm? I want to control the creation of mailboxes from a java-servlet. Sure, read RFC 2060. You'd do tag CREATE user/username -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: creating user-mailboxes without cyradm
Philipp Leusmann schrieb: Hello, is there a way to create INBOXes for users by IMAP-commands instead of using cyradm? I want to control the creation of mailboxes from a java-servlet. Another strange thing is, that I cannot use cyradm at all. I have set up cyrus to use sasl-auxprop authentication against a mysql-db. logging in to imap works fine using this authentication and the user listed as admin in /etc/imapd.conf was even able to create his own inbox using the CREATE-command in imap. But when I try to login to cyradm with this user it always looks like this: ---snip--- sh#: cyradm --user testuser 127.0.0.1 Password: cyradm: cannot authenticate to server with as testuser ---snip--- Anyone knows what is missing between 'with' and 'as'? Maybe you should try something like: cyradm --user testuser --auth login localhost Simon Help would be great, Philipp