Article delegate-en/3019 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3018@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Authenticating IMAP access
10 Jul 2005 19:37:23 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A3018@delegate-en.ML_> on 07/11/05(03:33:39)
you Peter Kaldis <pw4fqbdyi-f4q452vgq63r.ml@ml.delegate.org> wrote:
 |>  |Hi there. I'm running delegate v9.0.2 on a RH Linux v8 machine sitting
 |>  |outside our firewall and its serving as a secure IMAP proxy. I would like
 |>  |to control who has access to this service by using some sort of simple auth
 |>  |mechanism like PAM and the local passwd file on the machine, or something
 |>  |similar like a dedicated config file of usernames/passwds.
 |> 
 |> Does not the IMAP server have a auth mechanism ?
...
 |Hi Yutaka, thanks for the response. You are right, the IMAP server can
 |authenticate, however I'm trying to restrict the service at the proxy
 |level, so that not everyone who can access it internally can also access
 |it from the outside. A second gateway if you will, that restricts access
 |to only a select few individuals.
 |
 |I've looked at the AUTH and AUTHORIZER arguments, but they only work with
 |specific protocols, and they don't appear to support IMAP. Is there any
 |other way I could add another level of authentication to IMAP through the
 |delegate server?

Oh, I see.  I think you can do it with MOUNT, but it is straightforward
to do it with AUTHORIZER in the case.  So I made a patch for imap.c to
refer AUTHORIZER in IMAP LOGIN.  With this patch and with an AUTHORIZER
parameter, only users authorized with AUTHORIZER is permitted to pass
the proxy-IMAP-DeleGate.  A simple AUTHORIZER of type "-list" can be used
to enumerate users to be permitted like this.

  delegated -P143 SERVER=imap://server AUTHORIZER="-list{user1,user2,...}"

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

diff -cr ../delegate9.0.3-pre28/src/access.c ./src/access.c

*** ../delegate9.0.3-pre28/src/access.c	Thu May 26 06:37:54 2005
--- ./src/access.c	Mon Jul 11 04:24:32 2005
***************
*** 1781,1786 ****
--- 1781,1788 ----
  {	CStr(up,256);
  	CStr(xlist,1024);
  
+ 	if( isinList(list,user) )
+ 		return 1;
  	sprintf(up,"%s:%s",user,pass);
  	strfConnX(Conn,list,AVStr(xlist),sizeof(xlist));
  	list = xlist;
diff -cr ../delegate9.0.3-pre28/src/imap.c ./src/imap.c
*** ../delegate9.0.3-pre28/src/imap.c	Sat Jun 11 13:18:50 2005
--- ./src/imap.c	Mon Jul 11 04:22:45 2005
***************
*** 20,25 ****
--- 20,26 ----
  #include "param.h"
  #include "fpoll.h"
  #include "delegate.h"
+ #include "auth.h"
  #include "filter.h"
  #include "ystring.h"
  #define LNSIZE 1024
***************
*** 226,231 ****
--- 227,244 ----
  			newconn = 1;
  		}
  		else	newconn = 0;
+ 
+ 		if( strcaseeq(qcmd,"LOGIN") ){
+ 			CStr(user,64);
+ 			if( *qarg == '"' )
+ 				wordScanY(qarg+1,user,"^\"");
+ 			else	wordScan(qarg,user);
+ 			if( CTX_auth(Conn,user,qrem) < 0 ){
+ 				fprintf(tc,"%s NO LOGIN forbidden\r\n",qtag);
+ 				fflush(tc);
+ 				continue;
+ 			}
+ 		}
  		fputs(req,ts);
  		fflush(ts);
  

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V