In future release we will add master authentication too. Now you can use api key or doveadm password which are essentially same thing. ---Aki TuomiDovecot oy-------- Alkuper?inen viesti --------L?hett?j?: Peter Chiochetti <pch at myzel.net> P?iv?m??r?: 4.3.2016 20.20 (GMT+02:00) Saaja: dovecot at dovecot.org Aihe: Re: v2.2.22 release candidate released Am 2016-03-04 um 14:33 schrieb Timo Sirainen:>?? + Added doveadm HTTP API: See >???? http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTPHmm, so anybody who has the API key can send any doveadm commands? I guess something like /etc/sudoers for API keys would be good? Did I miss something? -- peter
And you are normally only exposing doveadm functionality in internal, private networks. On 3/4/2016 11:27 AM, Aki Tuomi wrote:> In future release we will add master authentication too. Now you can use api key or doveadm password which are essentially same thing. > ---Aki TuomiDovecot oy-------- Alkuper?inen viesti --------L?hett?j?: Peter Chiochetti <pch at myzel.net> P?iv?m??r?: 4.3.2016 20.20 (GMT+02:00) Saaja: dovecot at dovecot.org Aihe: Re: v2.2.22 release candidate released > Am 2016-03-04 um 14:33 schrieb Timo Sirainen: >> + Added doveadm HTTP API: See >> http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTP > Hmm, so anybody who has the API key can send any doveadm commands? > > I guess something like /etc/sudoers for API keys would be good? > > Did I miss something? >
Am 2016-03-04 um 23:35 schrieb Michael M Slusarz:> And you are normally only exposing doveadm functionality in internal, > private networks. > > On 3/4/2016 11:27 AM, Aki Tuomi wrote: >> In future release we will add master authentication too. Now you can >> use api key or doveadm password which are essentially same thing. >> ---Aki TuomiDovecot oy-------- Alkuper?inen viesti --------L?hett?j?: >> Peter Chiochetti <pch at myzel.net> P?iv?m??r?: 4.3.2016 20.20 >> (GMT+02:00) Saaja: dovecot at dovecot.org Aihe: Re: v2.2.22 release >> candidate released >> Am 2016-03-04 um 14:33 schrieb Timo Sirainen: >>> + Added doveadm HTTP API: See >>> http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTP >> Hmm, so anybody who has the API key can send any doveadm commands? >> >> I guess something like /etc/sudoers for API keys would be good? >> >> Did I miss something? >>Some mails later, I got to understand: - API key is not authentication, but it is authorization So, when I plan to enable the HTTP API, I must protect the webpage where the API key lives in by the usual means, eg. HTTP Basic Authentication. Aki also told me, that there is a configurable list of allowed commands somewhere. The wiki also links to another (parent) page with more details. The number of commands is limited now, but may grow. -- peter