Overview
IMAP master authentication, also known as IMAP proxy authentication or administrative authentication, is a feature used in some email server configurations. It allows an administrator or a designated user to log into an IMAP server with the rights to access multiple user accounts. This capability is particularly useful for administrative tasks like managing user accounts, performing backups, migrating mailboxes, or troubleshooting issues.
This article provides instructions for enabling Master Authentication (Master Auth) in Kerio Connect server, along with additional information about the workings of its internal mechanism in Kerio Connect, and a sample Python script to test it against your server
Enabling Master Authentication
To enable the Master Authentication process, follow the steps detailed in the process below.
-
Open Kerio Connect Webadmin.
-
Navigate to the Configuration > Advanced Options > Master Authentication tab.
-
Select Enable Master Authentication to this server.
-
Choose the necessary IP address group.
-
Specify the Master Password.
-
Click Apply.
- Once the above is done, you can use the attached Python script to test the configuration. The script is only checking the master authentication, and can be further expanded for each use case, as required.
Master Auth Internal Mechanism
The following steps detail how Master Auth works in Kerio Connect:
-
The client sends the X-MASTERAUTH command:
C: a X-MASTERAUTH
. -
The server responds with a challenge:
S: + <random-challenge-string>
. -
The client links together the challenge string with the master password and computes the resulting string's MD5.
"<random-challenge-string>masterpassword" -> MD5 -> c1e1b75f2de352d6a214f4131c07e400
-
Then the client sends this MD5 to the server as a hexadecimal ASCII string.
C: c1e1b75f2de352d6a214f4131c07e400
-
The server checks the MD5 and announces the authentication result. There are two possible results.
-
S: a OK X-MASTERAUTH Welcome to server, master
, or -
S: a NO X-MASTERAUTH failed
-
-
The client switches to the selected user account with the X-SETUSER command.
C: b X-SETUSER "username"
-
The server responds with a confirming X-SETUSER command.
S: b OK X-SETUSER completed
Example chain of communication.
C: a X-MASTERAUTH
S: + <random-challenge-string>
C: c1e1b75f2de352d6a214f4131c07e400
S: a OK X-MASTERAUTH Welcome to server, master
C: b X-SETUSER "username"
S: b OK X-SETUSER completed
FAQ
-
What is IMAP Master Authentication?
IMAP Master Authentication allows an administrator to access multiple user accounts on an IMAP server for management tasks. -
How do I test Master Authentication in Kerio Connect?
After enabling it, use the provided Python script to test the configuration against your server. -
What should I do if Master Authentication fails?
Review the steps to ensure all settings are correctly applied. Check the master password and IP address group settings, then retry. -
Is there a user account that has access to all users mailboxes?
No, there is no dedicated user account with access to all user mailboxes, the master authentication relies on the master password configured in the Kerio Connect web admin UI.