Am 2016-03-04 um 23:35 schrieb Michael M Slusarz:
And you are normally only exposing doveadm functionality in internal,
private networks.
On 3/4/2016 11:27 AM, Aki Tuomi wrote:
In future release we will add master authentication too. Now you can
use api key or doveadm password which are essentially same thing.
---Aki TuomiDovecot oy-------- Alkuperäinen viesti --------Lähettäjä:
Peter Chiochetti <p...@myzel.net> Päivämäärä: 4.3.2016 20.20
(GMT+02:00) Saaja: dovecot@dovecot.org Aihe: Re: v2.2.22 release
candidate released
Am 2016-03-04 um 14:33 schrieb Timo Sirainen:
+ Added doveadm HTTP API: See
http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTP
Hmm, so anybody who has the API key can send any doveadm commands?
I guess something like /etc/sudoers for API keys would be good?
Did I miss something?
Some mails later, I got to understand:
- API key is not authentication, but it is authorization
So, when I plan to enable the HTTP API, I must protect the webpage where
the API key lives in by the usual means, eg. HTTP Basic Authentication.
Aki also told me, that there is a configurable list of allowed commands
somewhere.
The wiki also links to another (parent) page with more details. The
number of commands is limited now, but may grow.
--
peter
