On 03/21/2018 10:34 PM, @lbutlr wrote:> The question is does it allow remote users to login with no password?Yes, and the answer is: no.> If not, then the message ie nearly notification that login without a password is potentially possible.Yes, but a worrying one. That's why i decided to post here.> I have no idea why you would have nopassword=y set in the first place, so it seems the simplest way to eliminate this problem is to take that out and have a secure environment for sending mail.Yes, however, for SOGo with Native Outlook compatibility or SAML logon, the config is required. (https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html) Thanks, MJ
On 22.03.2018 10:30, mj wrote:> > > On 03/21/2018 10:34 PM, @lbutlr wrote: >> The question is does it allow remote users to login with no password? > Yes, and the answer is: no. > >> If not, then the message ie nearly notification that login without a >> password is potentially possible. > Yes, but a worrying one. That's why i decided to post here. > >> I have no idea why you would have nopassword=y set in the first >> place, so it seems the simplest way to eliminate this problem is to >> take that out and have a secure environment for sending mail. > > Yes, however, for SOGo with Native Outlook compatibility or SAML > logon, the config is required. > > (https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html) > > Thanks, > MJI have no idea *WHY* it is required by SOGo. It does not make sense. Aki
On 2018-03-22 (02:30 MDT), mj <lists at merit.unu.edu> wrote:> > Yes, however, for SOGo with Native Outlook compatibility or SAML logon, the config is required. > > (https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html)I don't know what that is, but that is a terrible requirement that makes me very suspicious someone is being either lazy or intentionally breaking security for nefarious purposes. I'd walk away. -- Lister: What d'ya think of Betty? Cat: Betty Rubble? Well, I would go with Betty... but I'd be thinking of Wilma. Lister: This is crazy. Why are we talking about going to bed with Wilma Flintstone? Cat: You're right. We're nuts. This is an insane conversation. Lister: She'll never leave Fred, and we know it.
On 2018-03-22 (02:48 MDT), "@lbutlr" <kremels at kreme.com> wrote:> > On 2018-03-22 (02:30 MDT), mj <lists at merit.unu.edu> wrote: >> >> Yes, however, for SOGo with Native Outlook compatibility or SAML logon, the config is required. >> >> (https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html) > > I don't know what that is, but that is a terrible requirement that makes me very suspicious someone is being either lazy or intentionally breaking security for nefarious purposes. I'd walk away.read more: "For any other IMAP server, refer to the product?s documentation. If such capability is not offered, you can alternatively define the cleartext password for each user." OM EFFING G! No. A thousand times no. This is? just no, this is inexcusable, irresponsible, and in any opinion should be criminal. No, I'm not joking. -- A: You're wrong Q: I've never found that to be true A: Because it make following messages more difficult Q: Why is top-posting evil?
On 03/22/2018 09:34 AM, Aki Tuomi wrote:> I have no idea*WHY* it is required by SOGo. It does not make sense.Well, the thing is: SOGo has this ability to behave like a *real* exchange server, as if it's running on a windows server. And this enables Outlook to connect to it like it would to an exchange server. (so: not in imap mode, and not using regular username/password authentication) Normally, SOGo simply reuses the provided username/password to connect to the imap server, but in the above scenario, these are not available. The same goes for a SAML2 authenticated SOGo webmail logon. In these scenarios, SOGo uses the 127.0.0.1 connection, to logon to imap. Since it does know the username. I guess a better solution would be for SOGo to be able to do 'transformations' to the username/password, to change the regular username/unknownpassword into username*master/masterpassword, and get rid of the 127.0.0.1 passwordless listener. Right? But SOGo doesn't do that. (afaik) MJ
On 03/22/2018 09:34 AM, Aki Tuomi wrote:>>> I have no idea why you would have nopassword=y set in the first >>> place, so it seems the simplest way to eliminate this problem is to >>> take that out and have a secure environment for sending mail. >> >> Yes, however, for SOGo with Native Outlook compatibility or SAML >> logon, the config is required. > > I have no idea *WHY* it is required by SOGo. It does not make sense.The configuration guide describes (in 4.3.) a scenario where SOGo's user population backend (LDAP) is set up from scratch, which implies that the preexisting IMAP server supposedly is *not* using the same backend/data/passwords. I'ld guess that *if* you have the IMAP server configured to look up the same backend/data (including support for exotic authentication methods, "Exchange style" cross-user access rights management, yadda yadda), the requirement to defeat authentication from SOGo to the IMAP server may become moot. But until then - Exchange takes its entire auth from AD, and SOGo's LDAP, *not* the IMAP server's passdb, is the analogue of that. Regards, -- Jochen Bern Systemingenieur www.binect.de www.facebook.de/binect -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20180322/836624b5/attachment.p7s>