[Dovecot] Patch: 2.0 support for URLAUTH, BURL, CATENATE

Fri Jan 14 19:35:23 EET 2011

On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote:

> I don't think there's any need to send "anonymous_username" to imap
> process? It just seems to want to know if the current user is anonymous
> or not. That same thing has been in my TODO list for a while already
> because ManageSieve could use that information too. So committed now:
> http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16

I just tried out this change and it does not replace the need for the anonymous_username field.  I only now fully understand the comment:
                        /* this is an anonymous login, either via ANONYMOUS
                           SASL mechanism or simply logging in as the anonymous
                           user via another mechanism */
Since the change does not distinguish between those two cases it breaks the "authuser" access identifier for the anonymous user when he is logged in non-anonymously.  I would not really care about this edge case except that the contributed implementation requires that the username in the IMAP URL matches the authenticated user's username even for the "anonymous" and "authuser" access identifiers, in violation of RFC 4467 section 4.  (The implementation requires a match because Dovecot does not (can not) reach into another user's mail storage.)  This means that the "anonymous" and "authuser" access identifiers only work for the anonymous user in the implementation; your change makes the "authuser" access identifier always fail for the anonymous user.  The anonymous_username field in the original contributed patch does distinguish between SASL ANONYMOUS and logging in as the anonymous user via another mechanism, so the "anonymous" and "authuser" access identifiers work properly for the anonymous user (but not for any other user).

If you can teach me how to make urlfetch_url() access any user's mail storage from an IMAP process logged in as a different user (subject to OS uid/gid permission constraints), I can make "anonymous" and "authuser" work for all users and use your change instead of the "anonymous_username" field.

Alternatively, you could edit your change to add the "anonymous" indication to the auth reply only for SASL ANONYMOUS authentications rather than for all anonymous-user authentications, unless that would cause trouble for ManageSieve.