RE: Any Decent IMAP server? [single-uid interface]
Baah... I figure that I'll just provide my interface for now to let you all see
if this is something that would be useful. I think I've made it general enough
to write anything you want in the authentication/authorization function.
begin interface description -
Here is the relevant data from vpop.h:
vpop__data* vpop__userauthen (char* username, char* password, char*
default_base_username);
typedef struct {
int valid_form;
int valid_user;
char* unix_username;
char* virtual_username;
char* black_box_home;
int authenticated;
char* log_error;
} vpop__data;
The function vpop__userauthen is called whenever a user is trying to
authenticate with the system. It is called _before_ any unix usernames are
checked. Depending on the values in the returned vpop__data structure, the
username and password will or will not be checked as a valid UNIX username.
Here are the details...
vpop__useauthen is called with, of course, the username and the password of the
user trying to connect. However "default_base_username" is a little weird. If
c-client is trying to login a user and it is not running as root it will
provide the username of the current user in default_base_username here. If
c-client is running as root, and can switch to any user then this will e NULL.
(You will not get a non-NULL value from imapd but rather from tools like dmail
in the imap-utils package. These tools are used for things like local delivery
and are already running as the correct UNIX user.)
vpop__userauthen then gets to control what c-client does by the structure it
returns... here are what the values mean
* valid_form specifies if the username looks like a virtual username. If this
is returned as true, c-client does not try to check the username and password
as a UNIX user. If valid_form is false, vpop__userauthen should set it false
and just return there.
* valid_user specifies if this username is a valid username. This can only be
true if valid_form is true.
* unix_username specifies the UNIX username that we should switch uid/gid to
when accessing the mail of the virtual user.
* virtual_username specifies the virtual username of the virtual e-mail
account. Does not have to be a valid login user or anything. Not currently used
for anything. :-)
* black_box_home specifies the directory where the e-mail for this user will
be stored. unix_username should have write permission here. The user is locked
down into this directory and now allowed to get mail from anywhere else in the
system.
* authenticated specifies if the password was correct. Even if the supplied
password was incorrect vpop__userauthen is required to set the unix_username,
virtual_username, and black_box_home values. This is because sometimes this
information is needed without password authentication outside of imapd, such as
when dmail is used to deliver to a virtual e-mail user.
* log_error is a string to log as an error. If this is not NULL, it will be
written to the standard c-client error reporting device. Inside of imapd this
will work its way into syslog.
end interface description -
I figure that someone could just write a vpop__userauthen function to run a
little external program, such as interfacing to one of the currently existing
virtual user packages. Other hackers could just write their own site specific
vpop__userauthen functions like I have done.
Oh, one note. This is really an imapd and ipop3d server together. The c-client
library is modified which is used by imapd, ipop3d, and imap-utils. This way
you write this once function and it works for all your mail server programs.
- David Harris
Principal Engineer, DRH Internet Services
Re: Any Decent IMAP server? [single-uid interface]
While digging thru the code...
Here's a situation. Let's say you've got a poopload of virtual domains all
pointing to a single IP address (a cheap solution =8-)) and of course there
is a ton of overlapping names. How would you authenticate those users? Would
you include a domain in the login as you did before? Like denis-o3m.com ?
Maybe I am missing something...
Denis Voitenko
Tel: 856 809-9252
Mail: [EMAIL PROTECTED]
ICQ: 9396092
- Original Message -
From: David Harris [EMAIL PROTECTED]
To: Thomas Neumann [EMAIL PROTECTED]; Denis Voitenko [EMAIL PROTECTED]
Cc: Philip Gabbert [EMAIL PROTECTED]; qmail [EMAIL PROTECTED]; David
Harris [EMAIL PROTECTED]
Sent: Thursday, December 02, 1999 7:47 AM
Subject: RE: Any Decent IMAP server? [single-uid interface]
Baah... I figure that I'll just provide my interface for now to let you
all see
if this is something that would be useful. I think I've made it general
enough
to write anything you want in the authentication/authorization function.
begin interface description -
Here is the relevant data from vpop.h:
vpop__data* vpop__userauthen (char* username, char* password, char*
default_base_username);
typedef struct {
int valid_form;
int valid_user;
char* unix_username;
char* virtual_username;
char* black_box_home;
int authenticated;
char* log_error;
} vpop__data;
The function vpop__userauthen is called whenever a user is trying to
authenticate with the system. It is called _before_ any unix usernames are
checked. Depending on the values in the returned vpop__data structure, the
username and password will or will not be checked as a valid UNIX
username.
Here are the details...
vpop__useauthen is called with, of course, the username and the password
of the
user trying to connect. However "default_base_username" is a little weird.
If
c-client is trying to login a user and it is not running as root it will
provide the username of the current user in default_base_username here. If
c-client is running as root, and can switch to any user then this will e
NULL.
(You will not get a non-NULL value from imapd but rather from tools like
dmail
in the imap-utils package. These tools are used for things like local
delivery
and are already running as the correct UNIX user.)
vpop__userauthen then gets to control what c-client does by the structure
it
returns... here are what the values mean
* valid_form specifies if the username looks like a virtual username. If
this
is returned as true, c-client does not try to check the username and
password
as a UNIX user. If valid_form is false, vpop__userauthen should set it
false
and just return there.
* valid_user specifies if this username is a valid username. This can
only be
true if valid_form is true.
* unix_username specifies the UNIX username that we should switch uid/gid
to
when accessing the mail of the virtual user.
* virtual_username specifies the virtual username of the virtual e-mail
account. Does not have to be a valid login user or anything. Not currently
used
for anything. :-)
* black_box_home specifies the directory where the e-mail for this user
will
be stored. unix_username should have write permission here. The user is
locked
down into this directory and now allowed to get mail from anywhere else in
the
system.
* authenticated specifies if the password was correct. Even if the
supplied
password was incorrect vpop__userauthen is required to set the
unix_username,
virtual_username, and black_box_home values. This is because sometimes
this
information is needed without password authentication outside of imapd,
such as
when dmail is used to deliver to a virtual e-mail user.
* log_error is a string to log as an error. If this is not NULL, it will
be
written to the standard c-client error reporting device. Inside of imapd
this
will work its way into syslog.
end interface description -
I figure that someone could just write a vpop__userauthen function to run
a
little external program, such as interfacing to one of the currently
existing
virtual user packages. Other hackers could just write their own site
specific
vpop__userauthen functions like I have done.
Oh, one note. This is really an imapd and ipop3d server together. The
c-client
library is modified which is used by imapd, ipop3d, and imap-utils. This
way
you write this once function and it works for all your mail server
programs.
- David Harris
Principal Engineer, DRH Internet Services
RE: Any Decent IMAP server? [single-uid interface]
Make the username be in the form "user%domain.com". Then look these up in a database or DB File or cdb to get the home directory, the encoded password, and (if they are not all running under the same user) the unix username to switch to. - David Harris Principal Engineer, DRH Internet Services -Original Message- From: Denis Voitenko [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 02, 1999 2:54 PM To: David Harris; Thomas Neumann Cc: Philip Gabbert; qmail Subject: Re: Any Decent IMAP server? [single-uid interface] While digging thru the code... Here's a situation. Let's say you've got a poopload of virtual domains all pointing to a single IP address (a cheap solution =8-)) and of course there is a ton of overlapping names. How would you authenticate those users? Would you include a domain in the login as you did before? Like denis-o3m.com ? Maybe I am missing something... Denis Voitenko Tel: 856 809-9252 Mail: [EMAIL PROTECTED] ICQ: 9396092
RE: Any Decent IMAP server? [single-uid interface]
What I did for a very simular project was develop a replacement to getpwent for uwimad. then when linking the Imap server, Just include the new "getpwent" instead of the standard system one and away you go. if you require more info on this let me know and I'll send my getpwent to you. At 11:57 AM 12/2/99 -0500, David Harris wrote: Make the username be in the form "user%domain.com". Then look these up in a database or DB File or cdb to get the home directory, the encoded password, and (if they are not all running under the same user) the unix username to switch to. - David Harris Principal Engineer, DRH Internet Services -Original Message- From: Denis Voitenko [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 02, 1999 2:54 PM To:David Harris; Thomas Neumann Cc:Philip Gabbert; qmail Subject: Re: Any Decent IMAP server? [single-uid interface] While digging thru the code... Here's a situation. Let's say you've got a poopload of virtual domains all pointing to a single IP address (a cheap solution =8-)) and of course there is a ton of overlapping names. How would you authenticate those users? Would you include a domain in the login as you did before? Like denis-o3m.com ? Maybe I am missing something... Denis Voitenko Tel: 856 809-9252 Mail: [EMAIL PROTECTED] ICQ: 9396092
RE: Any Decent IMAP server? [single-uid interface]
Darcy Buskermolen [mailto:[EMAIL PROTECTED]] wrote: What I did for a very simular project was develop a replacement to getpwent for uwimad. then when linking the Imap server, Just include the new "getpwent" instead of the standard system one and away you go. if you require more info on this let me know and I'll send my getpwent to you. How do you deal with password checking? Seems to me that your username would get passed to the pam library (or whatever your system does) and then fail. Did you also hack up the checkpw function? Please send a copy to me. Right now I'm trying to figure out if it's worth taking the time to package my thing up nicely and release it open source style. That means it has gotta: (a) be a good solution for what other people want to do (and no way better solution already floating around), (b) and be something that more than a couple people want - David Harris Principal Engineer, DRH Internet Services
