On Mon, 29 Dec 2003, Christian Schulte wrote:
> Since you enabled virtdomains why do you still want unqualified logins
> if not due upgrading reasons from an old installation with unqualified
> logins ? This all only has to do with unqualified logins which I do not
> want/need except for the global admin. If someone plans on changing the
> behaviour with the global admin and defaultdomain I would really like to
> keep the ability to not let a global admin in if not connecting to
> localhost and of course there should be a note about the change so that
> next time updating cyrus I do not open up a security hole I spent hours
> to prove that its greatly closed and safe :-)
Well, that's basically it. I want a global admin, so I need to have a
defaultdomain set, which means the allowance of unqualified logins. As for
only being able to log in via localhost to your global admin account,
it's a bug whether you like it or not :-) Relying on a bug to maintain
your security is really bad security. The only time I feel secure in my
setups is when I know everything is working as it should, otherwise theres
always that bit of doubt about things always working right.
Besides, it's not like you couldn't replicate that sort of behavior
further down the road. You could always set up a specific IMAP instance to
watch over localhost which uses a different configuration file which has
the global admin settings. Then modify the other configuration file to get
rid of the global admin priviledges. That way the system WILL ALWAYS do
what you've now grown used to and you won't have to worry about it being
fixed in the future. Actually, maybe there's another good config option
for security, "globaladmininterfaces" which says which interfaces or IP's
a global admin can log in as.
My need for a global admin is for my administrative web interface. I can
set up my scripts to use one login on the backend and not have to worry
about setting up specific user addresses in each domain for
administration which pretty much makes them useless for actual mail
receipt.
-peace
--
Let he who is without clue kiss my ass
