OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Fwd: Re: Fwd: Re: postfix, dovecot auth and rip/lip]

From: Alex (subscriberviliar.net.ru)
Date: Tue Mar 18 2008 - 17:04:22 CDT

mouss wrote:
> Alex wrote:
>>
>>
>> Timo Sirainen wrote:
>>> On Fri, 2007-01-12 at 04:54 +0300, alex wrote:
>>>
>>>>> Dec 19 11:25:30 post dovecot: auth-worker(default):
>>>>> sql(mailexample.com): query: SELECT mail as
>>>>> user, cryptp as password,
>>>>> CONCAT('/home/vmail/',homedir,'/',maildir,'/'
>>>>> ) as userdb_home, uid as userdb_uid, gid as userdb_gid,
>>>>> CONCAT('dirsize:/home/vmail/',homedir,'/',maildir,'/',':storage=',quota/1024)
>>>>> as userdb_quota, nice
>>>>> as userdb_nice
>>>>> , hosts as allow_nets FROM users WHERE mail = 'mailexample.com'
>>>>> and access = 'Y' and smtp = 'Y';
>>>>> Dec 19 11:25:30 post dovecot: auth-worker(default):
>>>>> passdb(mailexample..com): allow_nets check
>>>>> failed: Remote IP not known
>>>>>
>>>>> As I understand, postfix does not transfer to dovecot auth daemon
>>>>> rip ( remote ip ). And it is
>>>>> looks like allow_nets it is impossible to use together with
>>>>> dovecot sasl auth in postfix.
>>>>>
>>>>> Do we have any workaround on it?
>>>>>
>>>>>
>>>>>
>>>> Hello again.
>>>>
>>>> As I think, this problem is realy about dovecot. Probably it should
>>>> not doing looking at allow_net then it using for external auh, or
>>>> then %Ls = smtp ? Just another trap/check to prevent problem like
>>>> this?
>>>> Or am I wrong?
>>>>
>>>
>>> I don't think Dovecot at least should have any checks that "oh, there's
>>> no IP address, let's just ignore allow_nets then and let the poor user
>>> in".
>>>
>> ...
>>>
>>> I think Postfix should some day be modified to support providing
>>> rip/lip..
>>
>> It was about postfix 2.3 as I remember. What are you think about
>> probable realization in postfix such thing?
>>
>>
>
> what is the use case when such thing is needed? is it something like
> enforcing different auth mechanisms depending on the client IP when
> the user comes in via smtp? is it really useful/used/needed?
>

Good q. Yes, I think it useful. Just try to look on it not from side
only smtp server, but from side of integration smtp/imap/pop3 server.
For this example, we can have one storage, with allow/deny there access
to smtp/imap/pop3 services for each user. On the level of mail server.
Without have to store it in different places for diff services. Probably
it can be useful in other way, like you said.