Article delegate-en/3020 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3019@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Authenticating IMAP access
10 Jul 2005 20:58:26 GMT Peter Kaldis <pw4fqbdyi-5sbstga6aoxr.ml@ml.delegate.org>


Thanks! I'll give it a try.

Yutaka Sato wrote:
> Hi,
> 
> In message <_A3018@delegate-en.ML_> on 07/11/05(03:33:39)
> you Peter Kaldis <pw4fqbdyi-5sbstga6aoxr.ml@ml.delegate.org> wrote:
>  |>  |Hi there. I'm running delegate v9.0.2 on a RH Linux v8 machine sitting
>  |>  |outside our firewall and its serving as a secure IMAP proxy. I would like
>  |>  |to control who has access to this service by using some sort of simple auth
>  |>  |mechanism like PAM and the local passwd file on the machine, or something
>  |>  |similar like a dedicated config file of usernames/passwds.
>  |> 
>  |> Does not the IMAP server have a auth mechanism ?
> ...
>  |Hi Yutaka, thanks for the response. You are right, the IMAP server can
>  |authenticate, however I'm trying to restrict the service at the proxy
>  |level, so that not everyone who can access it internally can also access
>  |it from the outside. A second gateway if you will, that restricts access
>  |to only a select few individuals.
>  |
>  |I've looked at the AUTH and AUTHORIZER arguments, but they only work with
>  |specific protocols, and they don't appear to support IMAP. Is there any
>  |other way I could add another level of authentication to IMAP through the
>  |delegate server?
> 
> Oh, I see.  I think you can do it with MOUNT, but it is straightforward
> to do it with AUTHORIZER in the case.  So I made a patch for imap.c to
> refer AUTHORIZER in IMAP LOGIN.  With this patch and with an AUTHORIZER
> parameter, only users authorized with AUTHORIZER is permitted to pass
> the proxy-IMAP-DeleGate.  A simple AUTHORIZER of type "-list" can be used
> to enumerate users to be permitted like this.
> 
>   delegated -P143 SERVER=imap://server AUTHORIZER="-list{user1,user2,...}"
> 
> Cheers,
> Yutaka
> --
>   D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( - )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
> 
> diff -cr ../delegate9.0.3-pre28/src/access.c ./src/access.c
> 
> *** ../delegate9.0.3-pre28/src/access.c	Thu May 26 06:37:54 2005
> --- ./src/access.c	Mon Jul 11 04:24:32 2005
> ***************
> *** 1781,1786 ****
> --- 1781,1788 ----
>   {	CStr(up,256);
>   	CStr(xlist,1024);
>   
> + 	if( isinList(list,user) )
> + 		return 1;
>   	sprintf(up,"%s:%s",user,pass);
>   	strfConnX(Conn,list,AVStr(xlist),sizeof(xlist));
>   	list = xlist;
> diff -cr ../delegate9.0.3-pre28/src/imap.c ./src/imap.c
> *** ../delegate9.0.3-pre28/src/imap.c	Sat Jun 11 13:18:50 2005
> --- ./src/imap.c	Mon Jul 11 04:22:45 2005
> ***************
> *** 20,25 ****
> --- 20,26 ----
>   #include "param.h"
>   #include "fpoll.h"
>   #include "delegate.h"
> + #include "auth.h"
>   #include "filter.h"
>   #include "ystring.h"
>   #define LNSIZE 1024
> ***************
> *** 226,231 ****
> --- 227,244 ----
>   			newconn = 1;
>   		}
>   		else	newconn = 0;
> + 
> + 		if( strcaseeq(qcmd,"LOGIN") ){
> + 			CStr(user,64);
> + 			if( *qarg == '"' )
> + 				wordScanY(qarg+1,user,"^\"");
> + 			else	wordScan(qarg,user);
> + 			if( CTX_auth(Conn,user,qrem) < 0 ){
> + 				fprintf(tc,"%s NO LOGIN forbidden\r\n",qtag);
> + 				fflush(tc);
> + 				continue;
> + 			}
> + 		}
>   		fputs(req,ts);
>   		fflush(ts);
>   


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V