IMAP-Authentication: Limit the users that can authenticate

[stonerl]

I see one design-flaw in the IMAP-Backend. Maybe I miss something but in it's current state, everyone could just log in to an owncloud that has IMAP-Authentication enabled.

e.g. If I use imap.gmail.com as my authentication-server, everyone with an Gmail-Account could access my ownCloud and create an account. And I don't think that this should be possible.

Either on the user-settings-page or the admin-settings-page, there should be an option to add the usernames that are allowed to enter ones server using IMAP.

[johnmanko]

I think that you can specify specific users. This was brought up in the owncloud forums: http://forum.owncloud.org/viewtopic.php?f=29&t=23307

The example listed was (but I didn't try it as I have no need to):

  'user_backends' => array (
    0 => array (
      'class' => 'OC_User_IMAP',
      'arguments' => array (
            0 => '{LoginID_user1.mail.myserver.ex:993/imap/ssl/novalidate-cert}',
            1 => '{loginID_user2.mail.myserver.ex:993/imap/ssl/novalidate-cert}',
            ),
      ),
  ),

[stonerl]

I use a different approach now (btw. This was my post, but that only works if your server expects such an address, it would no t work with gmail). I will make a pull-request as soon as my other changes (#1898) are merged. I changed the file imap.php like this:

    public function checkPassword($uid, $password) {
        if (!function_exists('imap_open')) {
            OCP\Util::writeLog('user_external', 'ERROR: PHP imap extension is not installed', OCP\Util::ERROR);
            return false;
        }

        $filename = dirname(__FILE__) . '/../imap_users.csv';

        if (file_exists($filename)) {
            $user_allowed = false;
            if (($handle = fopen($filename, "r"))  !== FALSE) {
                while (($data = fgetcsv($handle, 1000, ",")) !== FALSE && $user_allowed !== TRUE) {
                    if (in_array($uid, $data)) {
                        $user_allowed = true;
                    }
                }
                fclose($handle);
                if ($user_allowed !== TRUE) {
                    return false;
                }
            }
        }

        if  (substr($this->mailbox, 1, 1) === '.') {
            $this->mailbox = ltrim($this->mailbox, '{');
            $this->mailbox = '{' . $uid . $this->mailbox;
        }

        $mbox = @imap_open($this->mailbox, $uid, $password, OP_HALFOPEN, 1);
        imap_errors();
        imap_alerts();
        if($mbox !== FALSE) {
            imap_close($mbox);
            $uid = mb_strtolower($uid);
            $this->storeUser($uid);
            return $uid;
        }else{
            return false;
        }
    }

[stonerl]

I only need a comma separated csv file in the user_external folder which would look like this:

LoginName,Name
jane.doe@gmail.com,Jane Doe
john.doe@gmail.com,John Doe

So now only those two gmail user can access my owncloud.

The other modification targets what I mentioned in the forum post. My University uses this url-scheme to access the imap server:

uni-loginid.mail.my-uni.org

Therefore I had to do what I mentioned in the forum. But this is IMHO a bad solution. Now I change the mailboxstring and check for a dot(.) as second character:

{.mail.my-uni.org:993/imap/ssl/novalidate-cert}

If the second character is a dot I assemble a new mailbox string:

{$uid.mail.my-uni.org:993/imap/ssl/novalidate-cert}

where $uid == uni-loginid

I think that this is a very universal approach, which does not interfere with the current behavior.

[johnmanko]

You should create an input in the admin settings to manage the contents of that file. :)

[wioxjk]

Anything new on this?