The "authz" plugin for Squirrelmail allows users and/or administrators to login to their IMAP servers via Squirrelmail, whilst using different authentication and authorization identifiers. This allows users and/or administrators to "proxy" as other users.
Possible uses for this feature include:
In order to use authz plugin, an IMAP server that allows proxy authentication via SASL and supports login mechanisms other than LOGIN is required. Any SASL mechanism other than LOGIN will do, such as PLAIN, DIGEST-MD5, CRAM-MD5.
When enabling the authz plugin in Squirrelmail, the login procedure will be different in that a delimiter, by default the character ':' will be searched for in the login box.
Therefore, if a user or administrator is aware of the proxy feature, she can login as cyrusadmin:user, where cyrusadmin is the authorization identity (authz) and user is the authentication identity (authc).
The password entered must be the one that belongs to the cyrusadmin account.
If the password is correct, the webmail session will start and everything will behave as if the account of user had logged in.
| Authentication ID authcid |
Authorization ID authzid |
Using the password of: | SASL PLAIN example | Squirrelmail Variables (Global & Session) | Squirrelmail Login Box | |
| Normal / Standard Request (Plain Users) | uid | uid | empty | uid | AUTHENTICATE PLAIN uid\0uid\0upass or AUTHENTICATE PLAIN \0uid\0upass |
$username = 'uid' | 'uid' |
| Proxy Request (Admins or Proxy-enabled Users) | uid | cyrusadmin | cyrusadmin | AUTHENTICATE PLAIN \0cyrusadmin\0uid\0upass | $username = 'uid' $authz = 'cyrusadmin' |
'cyrusadmin:uid' |