Hi all! Does anybody know how to correctly restrict the directories users can acces via imap (Washington State)? I do not want users to download arbitrary world-readable files from our server via weinberg@genji:~ > telnet mailhost imap2 0 login weinberg passwdbla 0 select "/etc/passwd" 0 fetch 1 body[] 0 logout but allow access to /home/user and /var/spool/mail/user. The last thing I tried was creating a user-accessible /black directory, with links /black/var/spool/mail -> /var/spool/mail/ /black/home -> /home/ and set in the /etc/c-client.cf: I accept the risk for IMAP toolkit 4.1. set black-box-directory /black/ set black-box-default-home-directory /black/home/ Howerver, "{mailbox}/var/spool/mail/user" is selectable and gains access to the user-mailbox, while the widely used "{mailbox}inbox selects an inbox with 0 messages found. I am not at all happy with playing around with totally undocumented options like black-box-default-home-directory ... Regards, Volker Weinberg ---------------------------------------------------------------------------- Volker Weinberg email: volker.weinberg@physik.uni-muenchen.de Dept.of Physics phone: Univ. of Munich at home: (089) 14 56 09 (Germany) at CIP: (089) 21 80-24 05 address: Andernacher Str. 17 80993 Muenchen ----------------------------------------------------------------------------