Subject: Re: ID for authenticated SMTP - msg#00075

Previous Message by Date: click to view message preview

Re: ID for authenticated SMTP

Is it possible to use the email address as the ID for authenticated SMTP? That depends on what you mean by "id". It sounds like you mean "the thing the user types along with their password in order to authenticate". That's probably doable, but whether or not it is advisable may be another matter. More specifically, the setting you're looking for is sasl.default.ldap.searchfilter. This controls the search the authentication code does to find the user's entry in the directory. It's in the form of a template that gets filled in with whatever the user typed. The default value is "(&(uid=%U)(objectclass=inetmailuser))" and you'd want to change it to something like "(&(mail=%U)(objectclass=inetmailuser))". As to whether or not this is a good idea, that really depends on your setup. In a low security environment where users have their email addresses in various different disjoint domains this sort of thing should not be a problem. If, however, you're in a high security world every little bit of added security helps, and having UIDs to log in with that aren't easily derivable from widely known email addresses may actually be something of a win. The Communication Suite 5 Schema Reference vaguely says MTA used to overide the uid attribute by LDAP_UID. I tried to put LDAP_UID=mail in option.dat and do the usual cnbuild and restart, nothing happened. Oh, something happened, I can assure you. If you used this setting in production you will now have a system littered with inaccessible mailboxes containing legitimate mail. That's what the MTA uses UIDs for: Mailbox names. So when you change this setting you're effectively changing how mailboxes are selected. Ned

Next Message by Date: click to view message preview

Re: ID for authenticated SMTP

Ned, From: Ned Freed <ned.freed-F5mQmnvYeUVBDgjK7y7TUQ@xxxxxxxxxxxxxxxx> Reply-To: Info-iMS-QMRIvgJGioDQT0dZR+AlfA@xxxxxxxxxxxxxxxx To: Victor Shum <vshum-PkbjNfxxIARBDgjK7y7TUQ@xxxxxxxxxxxxxxxx> CC: Info-iMS-QMRIvgJGioDQT0dZR+AlfA@xxxxxxxxxxxxxxxx Subject: Re: [Info-iMS] ID for authenticated SMTP Date: Fri, 24 Aug 2007 14:17:08 -0700 (PDT) Is it possible to use the email address as the ID for authenticated SMTP? That depends on what you mean by "id". It sounds like you mean "the thing the user types along with their password in order to authenticate". That's probably doable, but whether or not it is advisable may be another matter. More specifically, the setting you're looking for is sasl.default.ldap.searchfilter. This controls the search the authentication code does to find the user's entry in the directory. It's in the form of a template that gets filled in with whatever the user typed. The default value is "(&(uid=%U)(objectclass=inetmailuser))" and you'd want to change it to something like "(&(mail=%U)(objectclass=inetmailuser))". Did that but not quite working. Looking at the LDAP log, it is looking up the local part of the smtp address. Everything starting from the "@" sign is dropped. Is there another metacharacter other than %U that will carry the full email address? Victor _________________________________________________________________ Tease your brain--play Clink! Win cool prizes! http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2

Previous Message by Thread: click to view message preview

Re: ID for authenticated SMTP

Is it possible to use the email address as the ID for authenticated SMTP? That depends on what you mean by "id". It sounds like you mean "the thing the user types along with their password in order to authenticate". That's probably doable, but whether or not it is advisable may be another matter. More specifically, the setting you're looking for is sasl.default.ldap.searchfilter. This controls the search the authentication code does to find the user's entry in the directory. It's in the form of a template that gets filled in with whatever the user typed. The default value is "(&(uid=%U)(objectclass=inetmailuser))" and you'd want to change it to something like "(&(mail=%U)(objectclass=inetmailuser))". As to whether or not this is a good idea, that really depends on your setup. In a low security environment where users have their email addresses in various different disjoint domains this sort of thing should not be a problem. If, however, you're in a high security world every little bit of added security helps, and having UIDs to log in with that aren't easily derivable from widely known email addresses may actually be something of a win. The Communication Suite 5 Schema Reference vaguely says MTA used to overide the uid attribute by LDAP_UID. I tried to put LDAP_UID=mail in option.dat and do the usual cnbuild and restart, nothing happened. Oh, something happened, I can assure you. If you used this setting in production you will now have a system littered with inaccessible mailboxes containing legitimate mail. That's what the MTA uses UIDs for: Mailbox names. So when you change this setting you're effectively changing how mailboxes are selected. Ned

Next Message by Thread: click to view message preview

Re: ID for authenticated SMTP

Ned, From: Ned Freed <ned.freed-F5mQmnvYeUVBDgjK7y7TUQ@xxxxxxxxxxxxxxxx> Reply-To: Info-iMS-QMRIvgJGioDQT0dZR+AlfA@xxxxxxxxxxxxxxxx To: Victor Shum <vshum-PkbjNfxxIARBDgjK7y7TUQ@xxxxxxxxxxxxxxxx> CC: Info-iMS-QMRIvgJGioDQT0dZR+AlfA@xxxxxxxxxxxxxxxx Subject: Re: [Info-iMS] ID for authenticated SMTP Date: Fri, 24 Aug 2007 14:17:08 -0700 (PDT) Is it possible to use the email address as the ID for authenticated SMTP? That depends on what you mean by "id". It sounds like you mean "the thing the user types along with their password in order to authenticate". That's probably doable, but whether or not it is advisable may be another matter. More specifically, the setting you're looking for is sasl.default.ldap.searchfilter. This controls the search the authentication code does to find the user's entry in the directory. It's in the form of a template that gets filled in with whatever the user typed. The default value is "(&(uid=%U)(objectclass=inetmailuser))" and you'd want to change it to something like "(&(mail=%U)(objectclass=inetmailuser))". Did that but not quite working. Looking at the LDAP log, it is looking up the local part of the smtp address. Everything starting from the "@" sign is dropped. Is there another metacharacter other than %U that will carry the full email address? Victor _________________________________________________________________ Tease your brain--play Clink! Win cool prizes! http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2