VS: Re: v2.2.22 release candidate released

Peter Chiochetti pch at myzel.net
Sun Mar 6 10:48:55 UTC 2016


Am 2016-03-04 um 23:35 schrieb Michael M Slusarz:
> And you are normally only exposing doveadm functionality in internal,
> private networks.
>
> On 3/4/2016 11:27 AM, Aki Tuomi wrote:
>> In future release we will add master authentication too. Now you can
>> use api key or doveadm password which are essentially same thing.
>> ---Aki TuomiDovecot oy-------- Alkuperäinen viesti --------Lähettäjä:
>> Peter Chiochetti <pch at myzel.net> Päivämäärä: 4.3.2016  20.20
>> (GMT+02:00) Saaja: dovecot at dovecot.org Aihe: Re: v2.2.22 release
>> candidate released
>> Am 2016-03-04 um 14:33 schrieb Timo Sirainen:
>>>     + Added doveadm HTTP API: See
>>>       http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTP
>> Hmm, so anybody who has the API key can send any doveadm commands?
>>
>> I guess something like /etc/sudoers for API keys would be good?
>>
>> Did I miss something?
>>

Some mails later, I got to understand:

- API key is not authentication, but it is authorization

So, when I plan to enable the HTTP API, I must protect the webpage where 
the API key lives in by the usual means, eg. HTTP Basic Authentication.

Aki also told me, that there is a configurable list of allowed commands 
somewhere.

The wiki also links to another (parent) page with more details. The 
number of commands is limited now, but may grow.

-- 
peter


More information about the dovecot mailing list