Accessing to mail as another user
Hello,
I'm looking for a way to access to a POP/IMAP account as another user different than me, but using my password. That is, I'm "someone@domain.com" and I want to access to "anotherone@domain.com" mailbox using the password of "someone@domain.com", not the "anotherone@domain.com" (something similar to master passwords, but without sharing any password). Obviously, in my LDAP backend I can configure something to authorize "someone" to access to "anotherone"'s mailbox.
At this momment, I'm trying to use someone@domain.com@anotherone@domain.com as username, with a passdb that uses %{username}@%{domain_first} to authenticate the user, but I'm having problem to configure a userdb map to get the mailbox, because the %{domain_first} variable returns just "domain.com". To fix this, I could use "someone@anotherone@domain.com", but this has problems with virtual domains an different users with same username (someone@domain.com and someone@otherdomain.com).
Looking at documentation, at [1], in the "auth_user" variable says: "... If username changes during authentication, this value contains the original username..." what leads me to think that there is some way to change the user during the authentication process, but I don't know how or maybe I'm assuming wrong.
Any help with this? Thank you[1] http://wiki.dovecot.org/Variables
Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
Am 2016-02-09 um 10:54 schrieb Angel L. Mateo:
[…] Looking at documentation, at [1], in the "auth_user" variable says: "... If username changes during authentication, this value contains the original username..." what leads me to think that there is some way to change the user during the authentication process, but I don't know how or maybe I'm assuming wrong.
If I fully understand, user switching is done by having userdb return arbitrary uid,gid,user for the principal used in authentication. After being switched, you ARE the other one, so in my (possibly limited) understanding you can no longer read your own mail. That might not be intended?
-- peter
El 09/02/16 a las 12:03, Peter Chiochetti escribió:
Am 2016-02-09 um 10:54 schrieb Angel L. Mateo:
[…] Looking at documentation, at [1], in the "auth_user" variable says: "... If username changes during authentication, this value contains the original username..." what leads me to think that there is some way to change the user during the authentication process, but I don't know how or maybe I'm assuming wrong.
If I fully understand, user switching is done by having userdb return arbitrary uid,gid,user for the principal used in authentication. After being switched, you ARE the other one, so in my (possibly limited) understanding you can no longer read your own mail. That might not be intended?
To access my own mail, I would use someone@domain.com as username, not someone@domain.com@another@domain.com.
Looking deeply in master password documentation, I think I'll be able to use it configure. But I'm going to need to find a way to limit the access to just another@domain.com's mailbox, not all mailboxes.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
Am 2016-02-09 10:54, schrieb Angel L. Mateo:
I'm looking for a way to access to a POP/IMAP account as another user different than me, but using my password. That is, I'm "someone@domain.com" and I want to access to "anotherone@domain.com" mailbox using the password of "someone@domain.com", not the "anotherone@domain.com" (something similar to master passwords, but without sharing any password). Obviously, in my LDAP backend I can configure something to authorize "someone" to access to "anotherone"'s mailbox.
do you maybe mean shared mailboxes: http://wiki.dovecot.org/SharedMailboxes
-- Gruß Matthias
El 09/02/16 a las 13:44, Matthias Fechner escribió:
do you maybe mean shared mailboxes: http://wiki.dovecot.org/SharedMailboxes
I don't want shared mailboxes. I have to access the other mailbox as a complete separate account from my personal one.
I think I can achive this with master user, but I need to found a way to configure permissions so the real user has access to all folders in the other mailbox.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
Hi, we have such configuration in our Dovecot; it is configured with virtual users and acl. To enable access of userA mailbox to userB, first I have to add userB to userA acl, and then I put userA username in an ARBITRARY_FIELD of userB record in our ldap (if you use a db for your account, the configuration could be more simple). We use the ARBITRARY_FIELD to limit the access of other users mailboxes: the field is not writable by the user, only by administrators.
Our config files:
/etc/dovecot/conf.d/auth-master.conf.ext ... passdb { driver = ldap master = yes
args = /etc/dovecot/dovecot-ldap.conf.masterusers pass = yes default_fields = userdb_mail=maildir:/path_to_mailboxes/%1{login_user}/%{login_user}:INDEXPVT=/path_to_indexes/%1n/%n/shared/%{login_user} }
and in /etc/dovecot/dovecot-ldap.conf.masterusers ... pass_attrs = uid=user,userPassword=password pass_filter = (&(uid=%n)(accountStatus=active)(ARBITRARY_FIELD=%{login_user}))
to login, you have to use the same way of a masteruser:
Login: userA*userB Password: userB_password
Cheers, Marco
On 2016-02-10 07:49, Angel L. Mateo wrote:
El 09/02/16 a las 13:44, Matthias Fechner escribió:
do you maybe mean shared mailboxes: http://wiki.dovecot.org/SharedMailboxes
I don't want shared mailboxes. I have to access the other mailboxas a complete separate account from my personal one.
I think I can achive this with master user, but I need to found away to configure permissions so the real user has access to all folders in the other mailbox.
-- Marco Giunta - ITCS SysAdmin Via Bonomea, 265 34136 - Trieste, Italy Tel: +39-040-3787-503 Fax: +39-040-3787-244
I have this configuration running, except for the ACL. The problem I'm having with ACLs is that I have to manually create the ACL for each folder userB has and if userB creates a new folder, then it is forbidden for userA until I update the ACL.
How do you solve this?El 15/02/16 a las 09:18, Marco Giunta escribió:
Hi, we have such configuration in our Dovecot; it is configured with virtual users and acl. To enable access of userA mailbox to userB, first I have to add userB to userA acl, and then I put userA username in an ARBITRARY_FIELD of userB record in our ldap (if you use a db for your account, the configuration could be more simple). We use the ARBITRARY_FIELD to limit the access of other users mailboxes: the field is not writable by the user, only by administrators.
Our config files:
/etc/dovecot/conf.d/auth-master.conf.ext ... passdb { driver = ldap master = yes
args = /etc/dovecot/dovecot-ldap.conf.masterusers pass = yes default_fields = userdb_mail=maildir:/path_to_mailboxes/%1{login_user}/%{login_user}:INDEXPVT=/path_to_indexes/%1n/%n/shared/%{login_user}
}
and in /etc/dovecot/dovecot-ldap.conf.masterusers ... pass_attrs = uid=user,userPassword=password pass_filter = (&(uid=%n)(accountStatus=active)(ARBITRARY_FIELD=%{login_user}))
to login, you have to use the same way of a masteruser:
Login: userA*userB Password: userB_password
Cheers, Marco
On 2016-02-10 07:49, Angel L. Mateo wrote:
El 09/02/16 a las 13:44, Matthias Fechner escribió:
do you maybe mean shared mailboxes: http://wiki.dovecot.org/SharedMailboxes
I don't want shared mailboxes. I have to access the other mailboxas a complete separate account from my personal one.
I think I can achive this with master user, but I need to found away to configure permissions so the real user has access to all folders in the other mailbox.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
participants (4)
-
Angel L. Mateo
-
Marco Giunta
-
Matthias Fechner
-
Peter Chiochetti