[ZendTo] autodropoff and automationUsers allowed to login interactively. Should not be.

Guy Bertrand Guy.Bertrand at exelaonline.com
Tue Feb 22 17:23:19 GMT 2022 

Jules,

Thanks for the prompt response.  My head was hurting trying to figure this one out.

My users are actually using Google IMAP and AD email addresses for the moment.  My automation users will only be configured in the Local DB.  This is working fine.
'authMultiAuthenticators' => array('Local','IMAP', 'AD'),

In that case, I would like to submit a « request for enhancement » for a future version :

  *   A user listed in the « automationUsers » cannot login to the web interface…at all.  Just to keep the auditors happy.

Regards,

Guy


From: Jules Field <Jules at Zend.To>
Sent: Tuesday, February 22, 2022 12:17 PM
To: ZendTo Users <zendto at zend.to>
Cc: Guy Bertrand <Guy.Bertrand at exelaonline.com>
Subject: Re: [ZendTo] autodropoff and automationUsers allowed to login interactively. Should not be.

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Please contact suspicious.emails at exelaonline.com<mailto:suspicious.emails at exelaonline.com> with any concerns.

Guy,

The "automationUsers" can *login* to the web interface, but if you try actually doing much once logged in, you'll rapidly find most tasks don't actually work correctly. Feel free to give it a try...
Hence the need to separate the "real" users from the "automation" users.

You can even create the automation users (you often only need 1) as a "local" user, and use SAML or something pretty with MFA for authenticating your "real" users. That's how you authenticate the automation user while all the real users have to use MFA (which you can't automate).

Cheers,
Jules.
On 22/02/2022 4:56 pm, Guy Bertrand via ZendTo wrote:
Hi Zendto users!

I’m trying to use the autodropoff feature for the first time.  I’ve got it working nicely, even from Postman.  This is great.

I’m confused by one little thing : I was under the impression that « automationUsers » cannot work with the web interface.  I just tested it, and yes, I can send via a auto-dropoff, but the user can also login through the web site.

In my preferences file, I have :
'automationUsers' => array('autodropoff.ravi at nologin.com<mailto:autodropoff.ravi at nologin.com>'),

In my local users, I have : (information removed to protect the innocent)
autodropoff.ravi at nologin.com<mailto:autodropoff.ravi at nologin.com>    xxxx<mailto:Ravi.Solanki at exelaonline.com>    xxxxx    xxxx

TESTING :
====================================
>>> When I try to auto-dropoff, it works!
2022-02-22 11:30:26 96.21.229.99 [Uploadit]: Info: authorization succeeded for autodropoff.ravi at nologin.com<mailto:autodropoff.ravi at nologin.com>
2022-02-22 11:30:26 96.21.229.99 [Uploadit]: Info: Virus scan of dropped-off files  '/var/zendto/incoming/php7B9H1O' for autodropoff.ravi at nologin.com<mailto:autodropoff.ravi at nologin.com> passed successfully
2022-02-22 11:30:27 96.21.229.99 [Uploadit]: Info: Deleting request code  as it has been used
2022-02-22 11:30:27 96.21.229.99 [Uploadit]: Info: successfully delivered notification email to guy.bertrand at exelaonline.com<mailto:guy.bertrand at exelaonline.com> for claimID ewJmq5AN7yeRQPQ6
2022-02-22 11:30:27 96.21.229.99 [Uploadit]: Info: new unencrypted dropoff ewJmq5AN7yeRQPQ6 of 1 file created for internal user Guy the IT Guy guy.bertrand at exelaonline.com<mailto:guy.bertrand at exelaonline.com> in language en_US using browser 'PostmanRuntime/7.28.4'

====================================
>>> And when I try to login to the web interface, it also works!
2022-02-22 11:40:25 96.21.229.99 [Uploadit]: Info: authorization succeeded for autodropoff.ravi at nologin.com<mailto:autodropoff.ravi at nologin.com>
2022-02-22 11:42:04 96.21.229.99 [Uploadit]: Info: logged out user 'autodropoff.ravi at nologin.com<mailto:autodropoff.ravi at nologin.com>'

I must be missing something here.  Help!!
ZendTo Version 6.11-2

Regards,

Guy

Guy Bertrand, M.Ing
Directeur informatique / IT Manager
[Exela Technologies]<https://urldefense.com/v3/__http:/www.exelatech.com/__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1GvxfstkyLQ$>
1155, boulevard Robert-Bourassa, suite 500  •  Montréal (Québec)  •  CANADA H3B 3A7
B / O: +1 514.392.4999  •  M: +1 514.265-9754
exelatech.com<https://urldefense.com/v3/__https:/www.exelatech.com/ca/__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz1LnfKjw$>  •  About EXELA<https://urldefense.com/v3/__https:/www.exelatech.com/ca/about-us__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz9eBkT5A$>  •  Instagram<https://urldefense.com/v3/__https:/www.instagram.com/exelatechnologies__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz7lmPspw$>  •  LinkedIn<https://urldefense.com/v3/__https:/www.linkedin.com/company/exela-technologies__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz2lGecUA$>

________________________________
Attention : le présent message et toutes les pièces jointes sont confidentiels et établis à l'attention exclusive du ou des destinataire(s) indiqué(s). Toute autre diffusion ou utilisation non autorisée est interdite. Si vous recevez ce message par erreur, veuillez immédiatement en avertir l'expéditeur par e-mail en retour, détruire le message et vous abstenir de toute référence aux informations qui y figurent afin d'éviter les sanctions attachées à la divulgation et à l'utilisation d'informations confidentielles. Les messages électroniques sont susceptibles d'altération. Exela Technologies et ses filiales déclinent toute responsabilité en cas d'altération ou de falsification du présent message.
________________________________
Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.

This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.

This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.


_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto<https://urldefense.com/v3/__http:/jul.es/mailman/listinfo/zendto__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1GvyopLrWMg$>



Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



IMPORTANT: This email is intended for the use of the individual

addressee(s) named above and may contain information that is

confidential, privileged or unsuitable for overly sensitive persons

with low self-esteem, no sense of humour or irrational religious

beliefs. If you are not the intended recipient, any dissemination,

distribution or copying of this email is not authorised (either

explicitly or implicitly) and constitutes an irritating social faux

pas.



Unless the word absquatulation has been used in its correct context

somewhere other than in this warning, it does not have any legal

or no grammatical use and may be ignored. No animals were harmed

in the transmission of this email, although the kelpie next door

is living on borrowed time, let me tell you. Those of you with an

overwhelming fear of the unknown will be gratified to learn that

there is no hidden message revealed by reading this warning backwards,

so just ignore that Alert Notice from Microsoft.



However, by pouring a complete circle of salt around yourself and

your computer you can ensure that no harm befalls you and your pets.

If you have received this email in error, please add some nutmeg

and egg whites, whisk and place in a warm oven for 40 minutes.



www.Zend.To<https://urldefense.com/v3/__http:/www.Zend.To__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1GvzDgd1jJA$>

Twitter: @JulesFM

________________________________
Attention : le présent message et toutes les pièces jointes sont confidentiels et établis à l'attention exclusive du ou des destinataire(s) indiqué(s). Toute autre diffusion ou utilisation non autorisée est interdite. Si vous recevez ce message par erreur, veuillez immédiatement en avertir l'expéditeur par e-mail en retour, détruire le message et vous abstenir de toute référence aux informations qui y figurent afin d'éviter les sanctions attachées à la divulgation et à l'utilisation d'informations confidentielles. Les messages électroniques sont susceptibles d'altération. Exela Technologies et ses filiales déclinent toute responsabilité en cas d'altération ou de falsification du présent message.
________________________________
Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.

This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.

This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20220222/7ade4514/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 35601 bytes
Desc: image001.png
URL: <http://jul.es/pipermail/zendto/attachments/20220222/7ade4514/attachment-0001.png>

More information about the ZendTo mailing list