[Dovecot] Patch: support URLAUTH, BURL, CATENATE

[Timo Sirainen]

On 9.4.2010, at 14.24, Mike Abbott wrote:

> The patch adds the concept of "submit" users.  Submit users are like
> master users in that they may log in as any user.  However submit users
> can use only a limited set of commands:  just URLFETCH, ID, CAPABILITY
> (although the capabilities are a lie since submit users can't use most
> commands), and LOGOUT.  This restriction enables an IMAP server to allow
> a BURL-capable submission server to use URLFETCH commands without
> risking a huge security breach if a submit user's credentials are
> compromised.  In other words, you can safely enable limited-power submit
> users without enabling super-user master users.

Hmm. They are quite similar though. Maybe it could internally work pretty much the same as master user, except have a single flag saying it's a submit user, and based on that deny the commands. And actually this could be merged with the support for checking if user is anonymous. So something like:

MASTER_USER=submit
USER_TYPE=anonymous | normal | submit

> The patch adds a non-standard X-PLAIN-SUBMIT authentication method
> specifically to allow plain-text submit user logins while plain-text
> regular user logins are not allowed.  This lets the system administrator
> configure the same submit user and password credentials on both the
> submission server and the IMAP server.

With v2.0 it's possible to do:

disable_plaintext_auth = yes
remote submit.domain.org {
  disable_plaintext_auth = no
}

I think that takes care of the need for X-PLAIN-SUBMIT?