Am 2016-03-04 um 23:35 schrieb Michael M Slusarz:
And you are normally only exposing doveadm functionality in internal, private networks.
On 3/4/2016 11:27 AM, Aki Tuomi wrote:
In future release we will add master authentication too. Now you can use api key or doveadm password which are essentially same thing. ---Aki TuomiDovecot oy-------- Alkuperäinen viesti --------Lähettäjä: Peter Chiochetti pch@myzel.net Päivämäärä: 4.3.2016 20.20 (GMT+02:00) Saaja: dovecot@dovecot.org Aihe: Re: v2.2.22 release candidate released Am 2016-03-04 um 14:33 schrieb Timo Sirainen:
+ Added doveadm HTTP API: See http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTPHmm, so anybody who has the API key can send any doveadm commands?
I guess something like /etc/sudoers for API keys would be good?
Did I miss something?
Some mails later, I got to understand:
- API key is not authentication, but it is authorization
So, when I plan to enable the HTTP API, I must protect the webpage where the API key lives in by the usual means, eg. HTTP Basic Authentication.
Aki also told me, that there is a configurable list of allowed commands somewhere.
The wiki also links to another (parent) page with more details. The number of commands is limited now, but may grow.
-- peter