Mike Abbott
2011-Jan-14 17:35 UTC
[Dovecot] Patch: 2.0 support for URLAUTH, BURL, CATENATE
On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote:> I don't think there's any need to send "anonymous_username" to imap > process? It just seems to want to know if the current user is anonymous > or not. That same thing has been in my TODO list for a while already > because ManageSieve could use that information too. So committed now: > http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16I just tried out this change and it does not replace the need for the anonymous_username field. I only now fully understand the comment: /* this is an anonymous login, either via ANONYMOUS SASL mechanism or simply logging in as the anonymous user via another mechanism */ Since the change does not distinguish between those two cases it breaks the "authuser" access identifier for the anonymous user when he is logged in non-anonymously. I would not really care about this edge case except that the contributed implementation requires that the username in the IMAP URL matches the authenticated user's username even for the "anonymous" and "authuser" access identifiers, in violation of RFC 4467 section 4. (The implementation requires a match because Dovecot does not (can not) reach into another user's mail storage.) This means that the "anonymous" and "authuser" access identifiers only work for the anonymous user in the implementation; your change makes the "authuser" access identifier always fail for the anonymous user. The anonymous_username field in the original contributed patch does distinguish between SASL ANONYMOUS and logging in as the anonymous user via another mechanism, so the "anonymous" and "authuser" access identifiers work properly for the anonymous user (but not for any other user). If you can teach me how to make urlfetch_url() access any user's mail storage from an IMAP process logged in as a different user (subject to OS uid/gid permission constraints), I can make "anonymous" and "authuser" work for all users and use your change instead of the "anonymous_username" field. Alternatively, you could edit your change to add the "anonymous" indication to the auth reply only for SASL ANONYMOUS authentications rather than for all anonymous-user authentications, unless that would cause trouble for ManageSieve.
Charles Marcus
2016-Apr-18 16:02 UTC
[Dovecot] Patch: 2.0 support for URLAUTH, BURL, CATENATE
Greetings Mike and Timo, A question about BURL support in Thunderbird came up, and while there is an open bug, it apparently is still not implemented. I'd love to see this get done, so I've been checking on the status of this in both postfix and dovecot... Can someone comment on whether or not this was ever fully/properly implemented? */Charles/*/* */ On 1/14/2011 12:35 PM, Mike Abbott <michael.abbott at apple.com> wrote:> On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote: > >> I don't think there's any need to send "anonymous_username" to imap >> process? It just seems to want to know if the current user is anonymous >> or not. That same thing has been in my TODO list for a while already >> because ManageSieve could use that information too. So committed now: >> http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16 > I just tried out this change and it does not replace the need for the anonymous_username field. I only now fully understand the comment: > /* this is an anonymous login, either via ANONYMOUS > SASL mechanism or simply logging in as the anonymous > user via another mechanism */ > Since the change does not distinguish between those two cases it breaks the "authuser" access identifier for the anonymous user when he is logged in non-anonymously. I would not really care about this edge case except that the contributed implementation requires that the username in the IMAP URL matches the authenticated user's username even for the "anonymous" and "authuser" access identifiers, in violation of RFC 4467 section 4. (The implementation requires a match because Dovecot does not (can not) reach into another user's mail storage.) This means that the "anonymous" and "authuser" access identifiers only work for the anonymous user in the implementation; your change makes the "authuser" access identifier always fail for the anonymous user. The anonymous_username field in the original contributed patch does distinguish between SASL ANONYMOUS and logging in as the anonymous user via another mechanism, so the "anonymous" and "authuser" access identifiers work properly for the anonymous user (but not for any other user). > > If you can teach me how to make urlfetch_url() access any user's mail storage from an IMAP process logged in as a different user (subject to OS uid/gid permission constraints), I can make "anonymous" and "authuser" work for all users and use your change instead of the "anonymous_username" field. > > Alternatively, you could edit your change to add the "anonymous" indication to the auth reply only for SASL ANONYMOUS authentications rather than for all anonymous-user authentications, unless that would cause trouble for ManageSieve.