MMP Proxyauth
From MsgServerDocWiki
How do I proxyauth into an account via an MMP?
UPDATE, 9/21/2010: This information has been moved to: http://wikis.sun.com/pages/viewpage.action?pageId=216502711. Refer to that page from now on.
NOTE: Messaging Server 6.3 patch level 120228-22/120229-22/120230-22/126479-03/126479-03 or above is required for this functionality to operate correctly due to bug #6577288.
Background: Proxy authentication allows an administrator to connect into another users mailbox as if they were that user.
There are two ways to do proxy authentication: via the SASL PLAIN standard or with the non-standard proxyauth command. The MMP (Messaging MultiPlexor) software only supports the standard mechanism.
Here is a brief overview of the protocol. Given the following information:
<USERNAME> is the username of the account you wish to access <ADMIN USER> is the store administrator defined in store.admins configutil setting which also needs to be a member of the group defined in the store.serviceadmingroupdn configutil setting and match the <ADMIN PASSWORD> is the password for the user defined in <ADMIN USER>
NOTE: If default:PreAuth is enabled, then it is also necessary to set the default:StoreAdmin and default:StoreAdminPass options in the ImapProxyAService.cfg configuration file to match the <ADMIN USER> and <ADMIN PASSWORD> respectively.
To connect using SASL PLAIN:
Get the Base64 encoded form of the string <USERNAME><ADMIN USER><ADMIN PASSWORD>
e.g. For the username 'shjorth@sun.com' and store administrator of 'admin' with the password 'secret'
# perl -MMIME::Base64 -e 'print encode_base64("shjorth\@sun.com" . "\0" . "admin" . "\0" . "secret")'
c2hqb3J0aEBzdW4uY29tAGFkbWluAHNlY3JldA==
shane@shane-desktop:~/Desktop$ telnet myserver.sun.com 143 Trying 1.2.3.4... Connected to myserver.sun.com. Escape character is '^]'. * OK [CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT LANGUAGE XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN] Messaging Multiplexor (Sun Java(tm) System Messaging Server 6.3-5.02 (built Oct 12 2007)) . AUTHENTICATE PLAIN + c2hqb3J0aEBzdW4uY29tAGFkbWluAHNlY3JldA== . OK User logged in . getquotaroot INBOX * QUOTAROOT INBOX user/shjorth * QUOTA user/shjorth (STORAGE 388 5120 MESSAGE 15 3000) . OK Completed
With newer releases (advertising SASL-IR), the base64 can be provided on the same line as the AUTHENTICATE command:
* OK [CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT CATENATE URLAUTH LANGUAGE ESEARCH ESORT ENABLE CONTEXT=SEARCH CONTEXT=SORT WITHIN SASL-IR SEARCHRES XSENDER X-NETSCAPE XSERVERINFO X-SUN-SORT ANNOTATE-EXPERIMENT-1 X-UNAUTHENTICATE X-SUN-IMAP X-ANNOTATEMORE XUM1 STARTTLS] Messaging Multiplexor (Sun Java(tm) System Messaging Server 7.2-7.04 (built Jul 2 2009)) . AUTHENTICATE PLAIN c2hqb3J0aEBzdW4uY29tAGFkbWluAHNlY3JldA== . OK User logged in
NB: You should not pass the admin user & password over a clear-text non-secure link (use 993/SSL/IMAPS instead).
Categories: FAQ | MMP
