VS: Re: v2.2.22 release candidate released
Peter Chiochetti
pch at myzel.net
Sun Mar 6 10:48:55 UTC 2016
Am 2016-03-04 um 23:35 schrieb Michael M Slusarz:
> And you are normally only exposing doveadm functionality in internal,
> private networks.
>
> On 3/4/2016 11:27 AM, Aki Tuomi wrote:
>> In future release we will add master authentication too. Now you can
>> use api key or doveadm password which are essentially same thing.
>> ---Aki TuomiDovecot oy-------- Alkuperäinen viesti --------Lähettäjä:
>> Peter Chiochetti <pch at myzel.net> Päivämäärä: 4.3.2016 20.20
>> (GMT+02:00) Saaja: dovecot at dovecot.org Aihe: Re: v2.2.22 release
>> candidate released
>> Am 2016-03-04 um 14:33 schrieb Timo Sirainen:
>>> + Added doveadm HTTP API: See
>>> http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTP
>> Hmm, so anybody who has the API key can send any doveadm commands?
>>
>> I guess something like /etc/sudoers for API keys would be good?
>>
>> Did I miss something?
>>
Some mails later, I got to understand:
- API key is not authentication, but it is authorization
So, when I plan to enable the HTTP API, I must protect the webpage where
the API key lives in by the usual means, eg. HTTP Basic Authentication.
Aki also told me, that there is a configurable list of allowed commands
somewhere.
The wiki also links to another (parent) page with more details. The
number of commands is limited now, but may grow.
--
peter
More information about the dovecot
mailing list