mailing list archives

meli community discussions

⚠️ if something does not work as intended when interracting with the mailing lists,
reach out Github mirror Gitea repo @epilys:matrix.org

[Imap-protocol] which IMAP servers support support SASL authorization vs. authentication ID?

E-mail headers
From: Mark Crispin <mrc+imap@panda.com>
To: imap-protocol@u.washington.edu
Date: Fri, 08 Jun 2018 12:34:47 -0000
Message-ID: alpine.OSX.2.00.1201130725430.38441@hsinghsing.panda.com permalink / raw / eml / mbox 
I have been tasked to identify which IMAP servers support the SASL concept
of authorization vs. authentication ID and if it is suitable to allow
impersonation; that is to proxy to various user accounts.

I have the following data:

Panda IMAP:		Yes
 	;; Authenticated userids in system group "mailadm" may authorize
 	;; to any other userid.

UW IMAP:		Yes, in newer versions
 	;; Same as Panda


Probably yes, but not sure and need details:

Cyrus:
Dovecot:
Communigate Pro:
Sendmail:
Zimbra:

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
Reply
E-mail headers
From: alexey.melnikov@isode.com
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:47 -0000
Message-ID: 4F1054E4.1030803@isode.com permalink / raw / eml / mbox 
Hi Mark,

On 13/01/2012 15:44, Mark Crispin wrote:
> I have been tasked to identify which IMAP servers support the SASL 
> concept
> of authorization vs. authentication ID and if it is suitable to allow
> impersonation; that is to proxy to various user accounts.
>
> I have the following data:
>
> Panda IMAP:        Yes
>     ;; Authenticated userids in system group "mailadm" may authorize
>     ;; to any other userid.
>
> UW IMAP:        Yes, in newer versions
>     ;; Same as Panda

Isode M-Box supports that as well. A user configured in the "admin_user" 
option in ms.conf (configuration file) can act as any other user. This 
feature can be disabled by not providing the "admin_user" option value.
Reply
E-mail headers
From: dwhite@olp.net
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:47 -0000
Message-ID: 20120113160943.GB4601@dan.olp.net permalink / raw / eml / mbox 
On 01/13/12?07:44?-0800, Mark Crispin wrote:
>I have been tasked to identify which IMAP servers support the SASL concept
>of authorization vs. authentication ID and if it is suitable to allow
>impersonation; that is to proxy to various user accounts.
>
>I have the following data:
>
>Panda IMAP:		Yes
>	;; Authenticated userids in system group "mailadm" may authorize
>	;; to any other userid.
>
>UW IMAP:		Yes, in newer versions
>	;; Same as Panda
>
>
>Probably yes, but not sure and need details:
>
>Cyrus:
>Dovecot:
>Communigate Pro:
>Sendmail:
>Zimbra:

Cyrus supports this function using the 'proxyservers' configuration option.
See:

http://www.cyrusimap.org/docs/cyrus-imapd/2.4.13/man/imapd.conf.5.php
http://www.cyrusimap.org/docs/cyrus-imapd/2.4.13/install-murder.php

Fine grained control can be accomplished by delegating 'a' ACL rights for
a user's INBOX and then enabling the 'loginuseacl' config option:

-- 
Dan White
Reply
E-mail headers
From: derek.diget+imap-protocol@wmich.edu
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:47 -0000
Message-ID: Pine.GSO.4.62.1201131116380.3388@spaz.oit.wmich.edu permalink / raw / eml / mbox 
On Jan 13, 2012 at 07:44 -0800, Mark Crispin wrote:
=>I have been tasked to identify which IMAP servers support the SASL concept
=>of authorization vs. authentication ID and if it is suitable to allow
=>impersonation; that is to proxy to various user accounts.
=>
=>I have the following data:
=>
=>Panda IMAP:		Yes
=>	;; Authenticated userids in system group "mailadm" may authorize
=>	;; to any other userid.
=>
=>UW IMAP:		Yes, in newer versions
=>	;; Same as Panda
=>
=>
=>Probably yes, but not sure and need details:
=>
=>Cyrus:
=>Dovecot:
=>Communigate Pro:
=>Sendmail:
=>Zimbra:

Non-Authoritative answer as I am just a admin/user, but

Sun's Communication Suite, now know as Oracle Communications Messaging 
Exchange Server seems to per

<https://wikis.oracle.com/pages/viewpage.action?pageId=15467378>


(We use the non-standard PROXYAUTH command with the imapsync perl script 
for mailbox migrations, etc.)

-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************
Reply
E-mail headers
From: dkarp@zimbra.com
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:47 -0000
Message-ID: 154341216.56862.1326474435819.JavaMail.root@dogfood.zimbra.com permalink / raw / eml / mbox 
> I have been tasked to identify which IMAP servers support the SASL
> concept of authorization vs. authentication ID and if it is suitable
> to allow impersonation; that is to proxy to various user accounts.

Zimbra supports this.  (I won't get into the details of the rules that
govern when a given authzid/authcid pair will work unless you really
care.  It can get complicated.)

- Dan
Reply
E-mail headers
From: tss@iki.fi
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:47 -0000
Message-ID: CC4ECE28-7BDF-47C9-BB29-4D8087AF87DF@iki.fi permalink / raw / eml / mbox 
On 13.1.2012, at 17.44, Mark Crispin wrote:

> I have been tasked to identify which IMAP servers support the SASL concept
> of authorization vs. authentication ID and if it is suitable to allow
> impersonation; that is to proxy to various user accounts.

Yes, Dovecot supports as well. It can be configured to work pretty much any way you want.

Actually this week there was an interesting use case for it, kind of the reverse of what is normally done: Shared mailboxes are accessed via one shared user account, but each user logs in with their own authentication ID so they get different access to the mailboxes because they have different ACLs. (All of this is actually hidden from the user, they don't configure this in their clients.)
Reply
E-mail headers
From: guenther+imap@sendmail.com
To: imap-protocol@localhost
Date: Fri, 08 Jun 2018 12:34:47 -0000
Message-ID: alpine.BSO.2.00.1201131145420.3540@morgaine.smi.sendmail.com permalink / raw / eml / mbox 
On Fri, 13 Jan 2012, Mark Crispin wrote:
> I have been tasked to identify which IMAP servers support the SASL concept
> of authorization vs. authentication ID and if it is suitable to allow
> impersonation; that is to proxy to various user accounts.

Sendmail: yes
	;; proxy authorization can be permitted based on LDAP attributes
	;; marking accounts as delegatees


Philip
Reply