IMAP auth permission problem when IMAP uses only USERNAME

Issue #1301 resolved

Jáder Marasca created an issue 2023-06-07

I’ve enabled IMAP auth but my IMAP server requires only USERNAME not complete e-mail.

So after auth I was able to see all messages, but if I click on any of them they return an error about “permission to read message 999”

So I find the custom authentication page on https://www.mailpiler.org/wiki/current:custom-authentication

and adapted the first sample to:

$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'my_custom_func';

function my_custom_func($username = '') {
$session = Registry::get('session');
$data = $session->get("auth_data");

$a = array();

foreach($data['emails'] as $email) {
$s = explode("@", $email);
array_push($a, $s[0] . "@<mydomain>");
}

$data['emails'] = array_merge($data['emails'] , $a);

$session->set("auth_data", $data);
}

‌

NOTE THE CHANGE of domain on line 11.

I think you could add this info on IMAP authentication page and this code below the IMAP part on config-site.php file with a simple explanation like “if your IMAP uses only username, add your domain on line below”.

That would allow any sysadmin to find and use it!

Regards

Jáder

(AFAIK this code allow add more than one domain by split username and domain parts, so maybe you could enhance it to just add one with little/better code!)

Comments (13)

Jáder Marasca reporter
- edited description
- 2023-06-07T09:51:51+00:00
Jáder Marasca reporter
I discovered a side effect of ADD domain : when searching for messages, if a FROM or TO has same info as my USERNAME , Piler show it (BAD!) but because I have no permission I can see it (good).

When logged in , in preferences I can see both names: JADER (username used to loggin) and JADER@MYDOMAIN , so because JADER is there, I can see emails from JADER@OTHERDOMAIN .

Could you patch the code to REPLACE username with username+domain if it’s not @local ? Would it be safe ?
- 2023-06-07T10:03:24+00:00
Jáder Marasca reporter
- changed title to IMAP auth permission problem when IMAP uses only USERNAME
- 2023-06-07T10:15:39+00:00
Jáder Marasca reporter
BTW: I think I broke the admin|auditor@local login! I’m getting 500 error…
- 2023-06-07T10:41:23+00:00
Jáder Marasca reporter
I think I need some code to deal with @local on field “email”, something like:
```
   $s = explode("@", $email);
   if ($s[1] != "local" )
     array_push($a, $s[0] . "@mydomain");
```
‌
- 2023-06-07T11:56:00+00:00
Janos SUTO repo owner
I’ve updated the documentation as you suggested, thanks.

To remove “JADER”, you need to fix the custom authentication function, I believe.

‌
- 2023-06-07T12:55:04+00:00
Jáder Marasca reporter
Can you JANOS help me with the code?

option1: remove the USERNAME so JADER, JADER@mydomain became just jader@MYDOMAIN

option2: fix my function to allow @local users to work (right now I have @local or IMAP auth working, no both at same time)
- 2023-06-07T13:32:25+00:00

Jáder Marasca reporter

I think I solved it using SECOND example of custom-authentication page:

‌

$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'ignore_local';

function ignore_local($username = '') {
   global $session;

   if(strstr($username, "@local")) {
      error_log( "Found  LOCAL,  doing nothing\r\n");;
   } else {
   $session = Registry::get('session');
   $data = $session->get("auth_data");

   $a = array();
   foreach($data['emails'] as $email) {

        $s = explode("@", $email);

         array_push($a, $s[0] . "@<mydomain.com>");
  }

   }
}

‌

2023-06-08T19:05:37+00:00

Jáder Marasca reporter

What about somethink like:

// FROM https://www.mailpiler.org/wiki/current:custom-authentication second sample
$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'ignore_local';

function ignore_local($username = '') {
   global $session;

   if(!strstr($username, "@local")) {
     $session = Registry::get('session');
     $data = $session->get("auth_data");

     $a = array();
     foreach($data['emails'] as $email) {
       $s = explode("@", $email);
       array_push($a, $s[0] . "@<mydomain.com>");
     }
   }
}

It SHOULD to have solved my problem, but it do not add @mydomain , just allow local accounts to work!

Do I miss something ?

2023-06-09T12:05:22+00:00

Janos SUTO repo owner
If it works for you, I’m all in.
- 2023-06-09T12:08:46+00:00
Jáder Marasca reporter
no it do not work, and IU don’t know why! How could I find out whats happening?

‌
- 2023-06-09T13:03:39+00:00

Janos SUTO repo owner

Try the following. In the user settings menu it displays only “JADER@aaa.fu”:

$config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'my_custom_func';

function my_custom_func($username = '') {
   $session = Registry::get('session');
   $data = $session->get("auth_data");

   if(!strstr($username, '@local')) {
      $email = $username . '@aaa.fu';
      $data['emails'] = [$email];
      $session->set("auth_data", $data);
   }
}

‌

2023-06-11T12:10:24+00:00

Janos SUTO repo owner
- changed status to resolved
- 2023-06-11T12:13:38+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: trivial

Status: resolved

Votes: 0

Watchers: 1