[Dovecot] Secure connection from "localhost" in jails

Dirk Engling erdgeist at erdgeist.org
Thu Jun 29 20:19:52 EEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear dovecot developers,

first: thanks for this really cool imapd, on my server it serves some
hundred domains, all in all some thousand users, some having hundred
thousand mails in their Maildirs (their spam boxes mostly).

Since I put this installation in an FreeBSD geli encrypted disc image I
had no choice but to choose an imapd with clever indexes - dovecot was
perfect.

However, since I reconfigured the disc image to work as a FreeBSD jail,
I had some trouble with my web mail solution. Squirrelmail does not work
 with imaps (or at least not smoothly, out of the box, or whatever) and
I didn't like to hack php to support SSL. Plus: there is no point in
using ssl for a local connection.

In a FreeBSD jail a sockets source address is always rewritten to the
jails address, so squirrelmail opening a connection to dovecot will not
come from 127.0.0.1 but from the same (jails) address, dovecot listens to.

Still, dovecot only considers 'localhost' addresses as secure and allows
LOGIN or PLAIN auth. With the little patch below dovecot allows clients
from the jail to authenticate via LOGIN, when they connect from the IP
it accepts connections at.

Something similar is lurking around in pop3 auth code, I am sure, you
get the point.

Regards

  erdgeist

======== 8< ======== 8< ======== 8< ======== 8< ======== 8< ======== 8<

dovecot-1.0.rc1/src/imap-login
 18:59:44 #> diff -u client.c*

- --- client.c    Thu Jun 29 18:59:39 2006
+++ client.c_new        Thu Jun 29 18:59:19 2006
@@ -411,7 +411,7 @@
                             const struct ip_addr *ip)
 {
        struct imap_client *client;
- -       const char *addr;
+       const char *addr, *local_addr;

        if (max_logging_users > CLIENT_DESTROY_OLDEST_COUNT &&
            hash_size(clients) >= max_logging_users) {
@@ -429,8 +429,10 @@
        client->common.tls = ssl;

         addr = net_ip2addr(ip);
+        local_addr = net_ip2addr(local_ip);
        client->common.secured = ssl ||
                (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) ||
+               (IPADDR_IS_V4(ip) && strncmp(addr, local_addr,
strlen(local_addr)) == 0) ||
                (IPADDR_IS_V6(ip) && (strcmp(addr, "::1") == 0 ||
                                      strncmp(addr, "::ffff:127.", 11)
== 0));

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEpAu4ImmQdUyYEgkRAnC8AJ9W3L5XwjdTuLvGfUwmIjEfyq8sAQCdErPc
v6JW46e9dfYBsKzAWprg2zw=
=/IWt
-----END PGP SIGNATURE-----


More information about the dovecot mailing list