[ZendTo] autodropoff and automationUsers allowed to login interactively. Should not be.

Jules Field Jules at Zend.To
Wed Feb 23 16:08:58 GMT 2022


Hi Guy,

Good idea, provided it's reasonably simple to do. When using SAML auth 
for the main users, I suspect it's not so easy. There must be a good 
reason I didn't do this to start with...

I'll take a look, but no promises (the normal and automation users run 
almost the same code, it's just the output type that varies: normal 
users get pretty HTML, automation users get HTTP headers).

Cheers,
Jules.

On 22/02/2022 5:23 pm, Guy Bertrand wrote:
>
> Jules,
>
> Thanks for the prompt response.My head was hurting trying to figure 
> this one out.
>
> My users are actually using Google IMAP and AD email addresses for the 
> moment.My automation users will only be configured in the Local 
> DB.This is working fine.
>
> 'authMultiAuthenticators' => array('Local','IMAP', 'AD'),
>
> In that case, I would like to submit a « request for enhancement » for 
> a future version :
>
>   * A user listed in the « automationUsers » cannot login to the web
>     interface…at all.Just to keep the auditors happy.
>
> Regards,
>
> Guy
>
> *From:*Jules Field <Jules at Zend.To>
> *Sent:* Tuesday, February 22, 2022 12:17 PM
> *To:* ZendTo Users <zendto at zend.to>
> *Cc:* Guy Bertrand <Guy.Bertrand at exelaonline.com>
> *Subject:* Re: [ZendTo] autodropoff and automationUsers allowed to 
> login interactively. Should not be.
>
> CAUTION:This email originated from outside of the organization. Do not 
> click links or open attachments unless you recognize the sender and 
> know the content is safe. Please contact 
> suspicious.emails at exelaonline.com with any concerns.
>
> Guy,
>
> The "automationUsers" can *login* to the web interface, but if you try 
> actually doing much once logged in, you'll rapidly find most tasks 
> don't actually work correctly. Feel free to give it a try...
> Hence the need to separate the "real" users from the "automation" users.
>
> You can even create the automation users (you often only need 1) as a 
> "local" user, and use SAML or something pretty with MFA for 
> authenticating your "real" users. That's how you authenticate the 
> automation user while all the real users have to use MFA (which you 
> can't automate).
>
> Cheers,
> Jules.
>
> On 22/02/2022 4:56 pm, Guy Bertrand via ZendTo wrote:
>
>     Hi Zendto users!
>
>     I’m trying to use the autodropoff feature for the first time.I’ve
>     got it working nicely, even from Postman.This is great.
>
>     I’m confused by one little thing : I was under the impression that
>     « automationUsers » cannot work with the web interface.I just
>     tested it, and yes, I can send via a auto-dropoff, but the user
>     can also login through the web site.
>
>     In my preferences file, I have :
>
>     'automationUsers' => array('autodropoff.ravi at nologin.com'),
>
>     In my local users, I have : (information removed to protect the
>     innocent)
>
>     autodropoff.ravi at nologin.comxxxx
>     <mailto:Ravi.Solanki at exelaonline.com>xxxxxxxxx
>
>     TESTING :
>
>     ====================================
>
>     >>> When I try to auto-dropoff, it works!
>
>     2022-02-22 11:30:26 96.21.229.99 [Uploadit]: Info: authorization
>     succeeded for autodropoff.ravi at nologin.com
>
>     2022-02-22 11:30:26 96.21.229.99 [Uploadit]: Info: Virus scan of
>     dropped-off files'/var/zendto/incoming/php7B9H1O' for
>     autodropoff.ravi at nologin.com passed successfully
>
>     2022-02-22 11:30:27 96.21.229.99 [Uploadit]: Info: Deleting
>     request codeas it has been used
>
>     2022-02-22 11:30:27 96.21.229.99 [Uploadit]: Info: successfully
>     delivered notification email to guy.bertrand at exelaonline.com for
>     claimID ewJmq5AN7yeRQPQ6
>
>     2022-02-22 11:30:27 96.21.229.99 [Uploadit]: Info: new unencrypted
>     dropoff ewJmq5AN7yeRQPQ6 of 1 file created for internal user Guy
>     the IT Guy guy.bertrand at exelaonline.com in language en_US using
>     browser 'PostmanRuntime/7.28.4'
>
>     ====================================
>
>     >>> And when I try to login to the web interface, it also works!
>
>     2022-02-22 11:40:25 96.21.229.99 [Uploadit]: Info: authorization
>     succeeded for autodropoff.ravi at nologin.com
>
>     2022-02-22 11:42:04 96.21.229.99 [Uploadit]: Info: logged out user
>     'autodropoff.ravi at nologin.com'
>
>     I must be missing something here.Help!!
>
>     ZendTo Version 6.11-2
>
>     Regards,
>
>     Guy
>
>     *Guy Bertrand, M.Ing*
>     Directeur informatique / IT Manager
>
>     Exela Technologies
>     <https://urldefense.com/v3/__http:/www.exelatech.com/__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1GvxfstkyLQ$>
>
>     1155, boulevard Robert-Bourassa, suite 500 •  Montréal (Québec)
>     •  CANADA H3B 3A7
>     B / O: +1 514.392.4999 •  M: +1 514.265-9754
>     exelatech.com
>     <https://urldefense.com/v3/__https:/www.exelatech.com/ca/__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz1LnfKjw$>
>     •About EXELA
>     <https://urldefense.com/v3/__https:/www.exelatech.com/ca/about-us__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz9eBkT5A$>
>     •Instagram
>     <https://urldefense.com/v3/__https:/www.instagram.com/exelatechnologies__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz7lmPspw$>
>     •LinkedIn
>     <https://urldefense.com/v3/__https:/www.linkedin.com/company/exela-technologies__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1Gvz2lGecUA$>
>
>     ------------------------------------------------------------------------
>
>     Attention : le présent message et toutes les pièces jointes sont
>     confidentiels et établis à l'attention exclusive du ou des
>     destinataire(s) indiqué(s). Toute autre diffusion ou utilisation
>     non autorisée est interdite. Si vous recevez ce message par
>     erreur, veuillez immédiatement en avertir l'expéditeur par e-mail
>     en retour, détruire le message et vous abstenir de toute référence
>     aux informations qui y figurent afin d'éviter les sanctions
>     attachées à la divulgation et à l'utilisation d'informations
>     confidentielles. Les messages électroniques sont susceptibles
>     d'altération. Exela Technologies et ses filiales déclinent toute
>     responsabilité en cas d'altération ou de falsification du présent
>     message.
>
>     ------------------------------------------------------------------------
>
>     Please consider the environment before printing or forwarding this
>     email. If you do print this email, please recycle the paper.
>
>     This email message may contain confidential, proprietary and/or
>     privileged information. It is intended only for the use of the
>     intended recipient(s). If you have received it in error, please
>     immediately advise the sender by reply email and then delete this
>     email message. Any disclosure, copying, distribution or use of the
>     information contained in this email message to or by anyone other
>     than the intended recipient is strictly prohibited. Any views
>     expressed in this message are those of the individual sender,
>     except where the sender specifically states them to be the views
>     of Exela Technologies, Inc. or its subsidiaries.
>
>     This email does not constitute an agreement to conduct
>     transactions by electronic means and does not create any legally
>     binding contract or enforceable obligation against Exela in the
>     absence of a fully signed written agreement.
>
>     _______________________________________________
>
>     ZendTo mailing list
>
>     ZendTo at zend.to
>
>     http://jul.es/mailman/listinfo/zendto
>     <https://urldefense.com/v3/__http:/jul.es/mailman/listinfo/zendto__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1GvyopLrWMg$>
>
>
>
> Jules
> -- 
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> IMPORTANT: This email is intended for the use of the individual
> addressee(s) named above and may contain information that is
> confidential, privileged or unsuitable for overly sensitive persons
> with low self-esteem, no sense of humour or irrational religious
> beliefs. If you are not the intended recipient, any dissemination,
> distribution or copying of this email is not authorised (either
> explicitly or implicitly) and constitutes an irritating social faux
> pas.
> Unless the word absquatulation has been used in its correct context
> somewhere other than in this warning, it does not have any legal
> or no grammatical use and may be ignored. No animals were harmed
> in the transmission of this email, although the kelpie next door
> is living on borrowed time, let me tell you. Those of you with an
> overwhelming fear of the unknown will be gratified to learn that
> there is no hidden message revealed by reading this warning backwards,
> so just ignore that Alert Notice from Microsoft.
> However, by pouring a complete circle of salt around yourself and
> your computer you can ensure that no harm befalls you and your pets.
> If you have received this email in error, please add some nutmeg
> and egg whites, whisk and place in a warm oven for 40 minutes.
> www.Zend.To 
> <https://urldefense.com/v3/__http:/www.Zend.To__;!!NCEDZeEw!uqbsaRMe7smnJcPTtfuyfEYQBr7TLWFQoKQDeX8-5QgkMbBRRw37zPDRf_u1GvzDgd1jJA$>
> Twitter: @JulesFM
> ------------------------------------------------------------------------
> Attention : le présent message et toutes les pièces jointes sont 
> confidentiels et établis à l'attention exclusive du ou des 
> destinataire(s) indiqué(s). Toute autre diffusion ou utilisation non 
> autorisée est interdite. Si vous recevez ce message par erreur, 
> veuillez immédiatement en avertir l'expéditeur par e-mail en retour, 
> détruire le message et vous abstenir de toute référence aux 
> informations qui y figurent afin d'éviter les sanctions attachées à la 
> divulgation et à l'utilisation d'informations confidentielles. Les 
> messages électroniques sont susceptibles d'altération. Exela 
> Technologies et ses filiales déclinent toute responsabilité en cas 
> d'altération ou de falsification du présent message.
> ------------------------------------------------------------------------
> Please consider the environment before printing or forwarding this 
> email. If you do print this email, please recycle the paper.
>
> This email message may contain confidential, proprietary and/or 
> privileged information. It is intended only for the use of the 
> intended recipient(s). If you have received it in error, please 
> immediately advise the sender by reply email and then delete this 
> email message. Any disclosure, copying, distribution or use of the 
> information contained in this email message to or by anyone other than 
> the intended recipient is strictly prohibited. Any views expressed in 
> this message are those of the individual sender, except where the 
> sender specifically states them to be the views of Exela Technologies, 
> Inc. or its subsidiaries.
>
> This email does not constitute an agreement to conduct transactions by 
> electronic means and does not create any legally binding contract or 
> enforceable obligation against Exela in the absence of a fully signed 
> written agreement. 

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'Gaze not into the abyss, lest you become recognised as an abyss
  domain expert, and they expect you to keep gazing into the damn thing.'
                                            - @nickm_tor

www.Zend.To
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20220223/0815881a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 35601 bytes
Desc: not available
URL: <http://jul.es/pipermail/zendto/attachments/20220223/0815881a/attachment-0001.png>


More information about the ZendTo mailing list