[Dovecot] Why are ACLs for non-existent mailboxes accepted?
Dovecot 2.2.9-1 accepts SETACL commands that share mailboxes to non-existent mailboxes. There is no error message. Is this intended behavior?
I think it's bad because clients present a success message when indeed the intent of the user failed. Typos are hard to catch.
On Thursday 20 February 2014 20:45:32 Boris wrote:
Dovecot 2.2.9-1 accepts SETACL commands that share mailboxes to non-existent mailboxes. There is no error message. Is this intended behavior?
I think it's bad because clients present a success message when indeed the intent of the user failed. Typos are hard to catch.
I probably found the solution myself. Quoting RFC 4314:
An implementation MUST make sure the ACL commands themselves do not give information about mailboxes with appropriately restricted ACLs. For example, when a user agent executes a GETACL command on a mailbox that the user has no permission to LIST, the server would respond to that request with the same error that would be used if the mailbox did not exist, thus revealing no existence information, much less the mailbox's ACL.
If Dovecot would give any error message to the user he would be able to check the existence of mailboxes. In reality imho this isn't any additional insecurity since I could simply send an email to this mailbox and would receive a "delivery failed" message thus knowing of it existence.
So is there a way to force Dovecot to refuse SETACL to nonexistent users?
On 2014-02-20 21:15, Boris wrote:
If Dovecot would give any error message to the user he would be able to check the existence of mailboxes. In reality imho this isn't any additional insecurity since I could simply send an email to this mailbox and would receive a "delivery failed" message thus knowing of it existence.
what if the email is an alias ?, it still does not revail if its local or remote
and there is still the possible that more then one alias have a single mailbox
so you loose there :=)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 20 Feb 2014, Boris wrote:
On Thursday 20 February 2014 20:45:32 Boris wrote:
Dovecot 2.2.9-1 accepts SETACL commands that share mailboxes to non-existent mailboxes. There is no error message. Is this intended behavior?
There is a "false friend" here. A "mailbox" in the tongue of many English speakers is an IMAP folder, the mailbox file all mails had been appended together in the old times, when mbx or mbox mail storage format was common. In Germany many people use "Mailbox" as the collection of all IMAP folders of one account.
So the question is why Dovecot accepts non-existant _users_ as you wrote in your last line.
I probably found the solution myself. Quoting RFC 4314:
No, because of mailbox != Mailbox.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUwcGOnD1/YhP6VMHAQLsrQgArKBviwA4oHXpQSPHEj9hS+FgmV2pkO82 +3azectYRBh/srANAfhCq+9k6C68yq7BtPTLp77ZyW/v/YG+2lkT4hck+XoEgK+Y NOew0F/9x3hG2/drStM20YLJBzX54THhJObc832Mk7QMGIsSsILdBZ+SeGYMBuU6 +721ytjNjUXF/WBqcgJpA4v+SrFYY1UXTMWWLyUwql/dxJ8lxU7pdhlpoieb9oFm BG5jM5YuFg7Faav3eI260mJwUSvxq/L+5xRafDpF//fmhICPMJBgbB9/Z0e/ariO yvfHCPXppKZRcRUOE0OpcVONBNi/Dkowl1mbEpNxIzVvQZCwIO8eDQ== =Z3aV -----END PGP SIGNATURE-----
On Friday 21 February 2014 08:54:34 Steffen Kaiser wrote:
On Thu, 20 Feb 2014, Boris wrote:
On Thursday 20 February 2014 20:45:32 Boris wrote:
Dovecot 2.2.9-1 accepts SETACL commands that share mailboxes to non-existent mailboxes. There is no error message. Is this intended behavior?
There is a "false friend" here. A "mailbox" in the tongue of many English speakers is an IMAP folder, the mailbox file all mails had been appended together in the old times, when mbx or mbox mail storage format was common. In Germany many people use "Mailbox" as the collection of all IMAP folders of one account.
So the question is why Dovecot accepts non-existant _users_ as you wrote in your last line.
I probably found the solution myself. Quoting RFC 4314: No, because of mailbox != Mailbox.
So what is the reason then?
Quoting Boris da-dovecotlist-15@abelonline.de:
On Friday 21 February 2014 08:54:34 Steffen Kaiser wrote:
On Thu, 20 Feb 2014, Boris wrote:
On Thursday 20 February 2014 20:45:32 Boris wrote:
Dovecot 2.2.9-1 accepts SETACL commands that share mailboxes to non-existent mailboxes. There is no error message. Is this intended behavior?
There is a "false friend" here. A "mailbox" in the tongue of many English speakers is an IMAP folder, the mailbox file all mails had been appended together in the old times, when mbx or mbox mail storage format was common. In Germany many people use "Mailbox" as the collection of all IMAP folders of one account.
So the question is why Dovecot accepts non-existant _users_ as you wrote in your last line.
I probably found the solution myself. Quoting RFC 4314: No, because of mailbox != Mailbox.
So what is the reason then?
There is nothing in RFC 4314 that requires the mailbox to exist.
SETACL only returns NO if you "can't set acl". But "can't set acl" !=
"mailbox has to exist". Example: a server can allow pre-setting ACLs
for mailboxes that MAY be created in the future. Perfectly legal
according to the spec.
RFC 3501 defines the commands needed to check for mailbox existence.
If you are trying to use ACL commands to determine mailbox existence
you are doing it wrong.
michael
On Monday 24 February 2014 18:04:40 Michael M Slusarz wrote:
SETACL only returns NO if you "can't set acl". But "can't set acl" != "mailbox has to exist". Example: a server can allow pre-setting ACLs for mailboxes that MAY be created in the future. Perfectly legal according to the spec.
Sounds reasonable. Thank you for the hint.
RFC 3501 defines the commands needed to check for mailbox existence. If you are trying to use ACL commands to determine mailbox existence you are doing it wrong.
I'm glad I'm not doing this then.
participants (4)
-
Benny Pedersen
-
Boris
-
Michael M Slusarz
-
Steffen Kaiser