<<< Date Index >>>     <<< Thread Index >>>

Re: imap/2837: MYRIGHTS not understood by Mirapoint IMAP4PROXY



On Thursday, March  8 at 02:53 PM, quoth David Champion:
Anyway, you seem to be assuming that Mirapoint's server does not support QUOTA or ACL before login, but I'm not sure why that assumption is valid.

Well, there's a couple reasons. The most obvious is that ACL commands are only allowed in the authenticated state (IMAP communications can be in one of three states: not authenticated, authenticated, and selected), according to the ACL RFC, 4314. See the table in section 4. (I'll explain more in a moment.)

But I also find it hard to imagine that a server author would go to the trouble of implementing SETACL, DELETEACL, GETACL, LISTRIGHTS, and MYRIGHTS (which is not a particularly trivial set of commands) for the anonymous user but would then claim the commands were "unidentifiable" for an authenticated user. If they really had supported them for only certain users, I would think a NO response would be more appropriate than a BAD response.

Is authentication necessary for mailbox access? Does anonymous access require login as an "anonymous" user? Again, I could be wrong, but I didn't think so.

Strictly speaking? Mailbox access, for the most part, requires the server to be in the authenticated state. RFC 3501 (i.e. the IMAP RFC) says that the only commands allowed in the "not authenticated" state are CAPABIILTY, NOOP, LOGOUT, STARTTLS, AUTHENTICATE, and LOGIN. (Extensions may, of course, define more that can be done while not authenticated, but I'm just talking basic IMAP for the moment.) Doing things like SELECT, EXAMINE, LIST, and so forth all require the authenticated state as a minimum. And, as I mentioned before, ACL commands require the authenticated state as well.

So the question then becomes "how does one get into the authenticated state?" Obviously, you can do so by using either the LOGIN or AUTHENTICATE commands, but what about anonymous users? Well, here's what the IMAP RFC has to say:

Server implementations MAY allow access to certain mailboxes without establishing authentication. This can be done by means of the ANONYMOUS [SASL] authenticator described in [ANONYMOUS]. An older convention is a LOGIN command using the userid "anonymous"; in this case, a password is required although the server may choose to accept any password. The restrictions placed on anonymous users are implementation-dependent.

Once authenticated (including as anonymous), it is not possible to re-enter the not authenticated state.

The phrasing they choose is a little wonky, but that says (to me) that you can have anonymous access, but you need to do it by "authenticating" (a poor choice of words) as the anonymous user in some way. Someone could argue that their means of establishing anonymous authentication is through "connection" (i.e. everyone that connects is insta-magically authenticated as an anonymous user), but if that were true, then the server would be required by the RFC to greet the user with the PREAUTH response, which it didn't do.

Anyway, yes, ACL at least, and probably QUOTA (though the QUOTA RFC doesn't say anything about authentication), only makes sense in an authenticated state, and the Mirapoint server is giving the client every reason to believe that it begins the connection unauthenticated.

Thus, claiming ACL or QUOTA support at the beginning is misleading at best and flat wrong at worst. I suppose it's possible that Mirapoint implements ACL and QUOTA support for some users and not for others, though I (for no good reason) rather doubt that. But either way there's no point in advertising it up front if they're going to insist that IMAP clients must automatically check CAPABILITY *after* authenticating. No matter how god-like their implementation of ACL and QUOTA for *some* users (assuming they have one), advertising them before authentication is wasting bandwidth (admittedly, not very much) for all those users who are not sufficiently deserving of ACL support.

~Kyle
--
In any conversation where only one side may be argued, we instinctively assume that those who publicly defend the official position are motivated by ideology and not by an interest in truth. The outlawed position is then assumed to be true, and wins by default.
                                             -- Fr. Andrew Hamilton SJ