Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Admin access to user accounts using IMAP (Admin access)
  •  
rfs9999

Messages: 2
Karma: 1
Send a private message to this user
Hi,

I searched the forum on the question of whether an Admin can access a user's mailbox and found suggestions that it is not possible except by archiving messages.

Most servers which support IMAP access have a feature where an administrator can login using an IMAP method named AUTHENTICATION PLAIN. The admin supplies a username, the admin username, and the admin password. If the admin username/password are valid then the admin is logged in as though he were the user.

AUTHENTICATION PLAIN works on Kerio Connect, that is the login succeeds, but rather than being put into the user's account it's the admin's account that the login goes to. The username is ignored and a normal login is done to the admin's account.

The benefit of admin access is that an authorized admin doesn't need the user password to access which makes building useful IMAP-based applications much easier.

Thanks for any light you can shed on this.

-Rick Sanders
IMAP Tools
  •  
clan

Messages: 232
Karma: 21
Send a private message to this user
Isn't AUTH PLAIN just another authentication method? I think you mean master authentication, which can be setup in the extended options.
  •  
rfs9999

Messages: 2
Karma: 1
Send a private message to this user
Yes, that's right. AUTHENTICATION PLAIN is just another IMAP login method but it's the means by which many IMAP servers support admin access to user accounts. As you said, Kerio Connect uses Master Authentication instead of AUTH PLAIN for that purpose.

Here is how it works:

1. The client sends the X-MASTERAUTH command:

C: a X-MASTERAUTH

2. The server responds with a challenge:

S: + <random-challenge-string>

3. The client concatenates the challenge string with the master password and computes the resulting string's MD5:

"<random-challenge-string>masterpassword" -> MD5 -> c1e1b75f2de352d6a214f4131c07e400

Then the client sends this MD5 to the server as a hexadecimal ASCII string:

C: c1e1b75f2de352d6a214f4131c07e400

4. The server checks the MD5 and announces the authentication result:

S: a OK X-MASTERAUTH Welcome to server, master
or
S: a NO X-MASTERAUTH failed

5. The client switches to the selected user account with the X-SETUSER command:

6. C: b X-SETUSER "username"

S: b OK X-SETUSER completed

For example:

C: a X-MASTERAUTH
S: + <random-challenge-string>
C: c1e1b75f2de352d6a214f4131c07e400
S: a OK X-MASTERAUTH Welcome to server, master
C: b X-SETUSER "username"
S: b OK X-SETUSER completed

-Rick
Previous Topic: OS X Open Directory and Kerio mapping
Next Topic: Kerio Connect 8.4.0 release
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Aug 23 19:26:09 CEST 2017

Total time taken to generate the page: 0.00435 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.