Re: saslpasswd2 and virtdomains


Subject: Re: saslpasswd2 and virtdomains
From: Igor Brezac (igor at ipass dot net)
Date: Mon May 19 2003 - 19:22:41 EDT


On Mon, 19 May 2003, Ken Murchison wrote:

> Quoting Igor Brezac <igor at ipass dot net>:
>
> >
> > On Mon, 19 May 2003, Ken Murchison wrote:
> >
> > > Quoting Igor Brezac <igor at ipass dot net>:
> > >
> > > >
> > > > On Sat, 17 May 2003, Ken Murchison wrote:
> > > >
> > > > > This is an unfortunte side-effect of the dual-mode virtdomains code.
> > In
> > > > > addition to allowing user@domain login ids, it can also do reverse
> > > > > lookups of the IP address of the interface that the login comes in on
> > to
> > > > > determine the domain. This happens by default if the login id is
> > > > > unqualified, which screws up what you are trying to do. I will take
> > a
> > > > > look at making the virtdomains-by-IP code configurable (off by
> > default).
> > > >
> > > > I suggest that the current behaviour is default (virtdomains-by-IP:
> > > > on)
> > >
> > >
> > > Why is that?
> > >
> > > Since I've received little to no feedback from people using virtdomains
> > with
> > > multiple IPs, I'm assuming that this will solve more problems than it will
> > create.
> > >
> > > Also, I can't think of anything that will break with fully qualified
> > userids if
> > > I disable the reverse lookup by default. Do you disagree?
> >
> > I may be missing something. Only unqualified userids should be run
> > through the reverse lookup. Now that I am thinking about it,
> > virtdomains-by-IP may not be needed unless someone wants to enforce fully
> > qualified username logins.
> >
> > I think there is a bug in the admin check where the admin account is
> > always fully qualified with the reverse result even when fully qualified
> > login is specified. So, if admin account is 'admin'; defaultdomain is
> > 'sub.domain.com'; reverse resolves to 'domain.com'; when I try cyradm
> > --user admin at sub dot domain dot com; admin at domain dot com will be used for password
> > check and I assume other admin operations. This looks like the problem
> > some people on this list have experienced. I am going to look in the
> > code.
>
> The problem is that the reverse lookup is _always_ done. In your example above,
> when the canonification code gets admin at sub dot domain dot com, it strips the domain

canonify_userid() strips the domain, where does the reverse lookup occur
before sasl_checkpass()?

> because it matches the defaultdomain. Since the userid is now unqualified, it
> falls through to the reverse lookup code. If the reverse lookup returns
> host.domain.com, then domain.com is appended to the userid, leaving you with
> admin at domain dot com.

Wouldn't it make sense to append defaultdomain rather than doing reverse
lookup. The problem I described occurs only for login mech, plain works
fine.

> The bottom line is that turning off the reverse lookup fixes the problem above
> as well as removes the requirement of having to specify a defaultdomain in order
> to have a global admin.
>
> Those people that have multiple IPs and want to do virtdomains by doing reverse
> lookups can simply enable 'domainsfromip'.

> I already have this coded if you want to try it. Unfortunately I'm at a remote
> location which only gives me HTTP access, so I can't commit anything until Thursday.

Please email it to me.

I must have missed some changes. ;( The scenario I described above worked
as I expected in the March/April CVS snapshot of cyrus-imapd 2_2.

-- 
Igor







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD