Disabled accounts should probably be inaccessible by all means possible #105
Comments
|
And you need to disable smtp-auth. One could imagine different use cases, where you only give a temporary I'm not in favor of a particular solution. To disable all possible On 2016-01-21 15:32, Rimas Kudelis wrote:
|
|
Yeah, that's what I tend to think as well. More granularity is a nice idea, but I suppose it can wait till next release. |
|
I think that decoupling authentications of transfer and of delivery services is a good thing, but not in both ways. When a domain is disabled, one may typically want to allow access to MDA for users and administrators, in order to enable a smooth data migration (which may take hours or even days). This make perfectly sense to me. But I do not see how the other way around would make sense: why one should allow receiving email for a domain without giving access to mailboxes? The only use case I am able to imagine is a quite particular one --- a site administrator who wants to intimidate an insolvent postmaster without completely disable his/her email service. |
|
I'm pretty sure we can't come up with every situation possible. |
|
Is this this solved by #159 ? (at least for v2.3) In exim |
|
Yes, looks like it is solve and we deactivated the account completely. Lets open a new issue for more granular setting in a future version. |
A few nights ago I suddently came to realization that even if we disable account, mail for it can still be checked out over IMAP and/or POP3, if the admin just follows our instructions.
Perhaps we should update these instructions to actually take into account the enabled/disabled status of the account (or even domain) which the user attempts to access? What do you folks think?
The text was updated successfully, but these errors were encountered: