5 Replies Latest reply: Jun 5, 2013 1:40 PM by JimKlimov RSS

    IMAP proxy auth - logs in as admin if user is absent

    JimKlimov
      While syncing accounts from an older server to OCUCS with the imapsync script, I found today that when using IMAP proxy auth (with OUCS 7u2 "vanilla" installation) and specifying a wrong user name (unknown to OCUCS), the IMAP server logs absence of the user, however imapsync goes on to put sync'ed messages into the proxy-admin user's account.

      I believe this means that failure to proxy-login as invalid user still succeeds as a proxy-user login. (Or imapsync retries this login, and the problem is there - I'll try to research that possibility too).

      If the problem is known to be the Messaging server's one, is there any toggle to disable such logins as the proxy user, and return a failure (i.e. user account absence, password mismatch, whatever)?
        • 1. Re: IMAP proxy auth - logs in as admin if user is absent
          Kellyc-Oracle
          When you say "proxy auth", are you talking about logging in as the admin user and then using the Messaging Server proprietary "proxyauth" command to switch to the other user?
          Or are you talking about using SASL auth plain and sending the <userid><null><adminid><null><adminpassword>

          For an example of the former, see MOS knowledge article Doc ID 1387203.1.
          For an example of the latter, see MOS Doc ID 1012047.1.

          If you are doing the former, then this make sense. You have logged in as admin and then tried to proxyauth to another user, but it failed, so you are still logged in as admin.

          if you are doing the latter, I would expect that login to fail. So if this is happening, please open a support case so we can submit a bug.
          • 2. Re: IMAP proxy auth - logs in as admin if user is absent
            JimKlimov
            Ok, upon revising the imapsync script (and parameters I've needed to set for OCUCS), I see this comment in the docs:
            You may authenticate as one user (typically an admin user), but be authorized as someone else, which means you don't need to know every user's personal password.
            Specify authuser1 "adminuser" to enable this on host1.  In this case, authmech1 PLAIN will be used by default since it is the only way to go for now.
            So don't use authmech1 SOMETHING with authuser1 "adminuser", it will not work. Same behavior with the --authuser2 option.

            When working on Sun/iPlanet/Netscape IMAP servers you must use --proxyauth1 to enable administrative user to masquerade as another user.
            Can also be used on destination server with --proxyauth2
            Indeed, I had to use "--proxyauth2" to receive mails into a user's mailbox, and according to your description, the server part seemingly works as designed - so no problem on OCUCS side. I wonder if imapsync script can be amended to detect the "proxyauth" failure and abort, but this is also not an OCUCS problem indeed.

            Thanks for the quick and helpful description.
            • 3. Re: IMAP proxy auth - logs in as admin if user is absent
              JimKlimov
              Just in case for posterity, here's the patch against imapsync-1.525 that adds proper support for proxyauth failures (I hope the forums won't mutilate the code too much):
              # gdiff -Naur imapsync.orig-1.525 imapsync
              --- imapsync.orig-1.525 2013-03-01 04:52:27.723596921 +0400
              +++ imapsync 2013-06-05 21:15:49.467134456 +0400
              @@ -2036,7 +2036,14 @@
              $imap->login() or
              die_clean("$info [LOGIN]: ", $imap->LastError, "\n") ;
              }
              - $proxyauth && $imap->proxyauth($user);
              + if ($proxyauth) {
              + if ( ! $imap->proxyauth($user) ) {
              + my $info = "Failure: error doing proxyauth as user [$user] on [$host] using proxy-login as [$authuser]" ;
              + my $einfo = $imap->LastError || @{$imap->History}[-1] ;
              + chomp( $einfo ) ;
              + die_clean("$info: $einfo\n") ;
              + }
              + }
              $split and $imap->Split( $split ) ;

              print "Info: success login on [$host] with user [$user] auth [$authmech]\n";
              The patch was submitted to the author, so possibly versions after the currently released 1.542 would include this logic out of the box.

              HTH,
              //Jim Klimov
              • 4. Re: IMAP proxy auth - logs in as admin if user is absent
                Kellyc-Oracle
                It might be worth trying "-authuser1 "adminuser" ... --authmech1 PLAIN. That sounds like "the latter" I mentioned before. It is a standard mechanism. I don't know when Messging Server started supporting it, but it has been a while. It is how we recommend this sort of thing be done rather than the proprietary "proxyauth" command.
                • 5. Re: IMAP proxy auth - logs in as admin if user is absent
                  JimKlimov
                  I believe I've tried that in my initial tests, but this is not even reflected in my notes among successful attempts. Must have failed for some reason and I moved on, and since proxyauth did work - I didn't look deeper. I'll leave it be (ain't broke - don't fix) but may try to revise the method next time.
                  Thanks,
                  //Jim Klimov