> Chris,
>
> Thanks for your efforts. This works for me. However, this workaround has a
> few drawbacks that you may already be aware of:
>
> 1. If imap access is turned off (via vmoduser -i), then imap access is not
> granted, but open_relay still tries to run and just leaves the open_smtp
> file owned by root.root, making roaming break until permissions are changed
> back.
>
> 2. If roaming is disabled for that user (via vmoduser -r), open_relay has no
> way of knowing since it's separate from authvchkpw now. So they get to roam
> anyway.
>
> 3. For people using multiple authentication modules (not me), anyone who is
> authenticated will get roaming access.
>
> Since we are now forced to use authdaemon (as far as I can tell, anyway),
> seems like the best solution would be for imaplogin to pass the environment
> to authdaemond. This would fix everything mentioned above, I think, and
> perhaps similar issues for other authentication modules.
>
1. This is a problem with the vpopmail.c code, IMHO it doesn't recover
from hiccups as well as it should.
2,3. The real problem here is that a side effect (SMTP relay authentication)
is being piggy-backed onto authentication. authdaemond is soley concerned
with checking the validity of username/passwd pairs against various
sources. In this sense smtp_open_relay is a bit of a hack. And I've just
whipped together a hack to fix a broken hack. I'm currently looking into
patching/adding SMTP AUTH over TLS/SSL with an authdaemon backend into
qmail-smtp. This would be a more pragmatic solution that could fall back
on smtp_open_relay for roaming users who can't do SMTP AUTH over SSL. Of
course falling back on smtp_open_relay entails the weaknesses that you've
described above.
For imaplogin to pass all of the environment information to authdaemond
would break the abstraction, and force specialized code into both
imaplogin and parts of authdaemond. Now that I think about the problem
some more, it would be possible to fix problems 1-3 from open_relay.c,
since imaplogin sets an environment variable with the user's
username/email address. I'm pretty sure this could be used to check and
see if the user should have roaming access.
Chris
