[Dovecot] Allow_nets + MySQL failing when using range notation
Javier García
javier.garcia at ibercom.com
Mon Mar 31 13:56:54 EEST 2008
Hello all,
I am testing my dovecot installation in order to restrict access via
POP3 for IPs outside my network. I have read and understood the
instructions in the wiki and I have reached a configuration that works
ONLY when single IPs are listed in allow_nets but not when ranges in the
notation x.x.x.x/y are listed. Some examples should be more explanatory.
I am using 1.0.rc15 patched as for last week as distributed in Debian etch.
First of all, everything related to this is stored in a MySQL database,
here is my password query:
password_query = SELECT u.password as password, t.allow_nets as
allow_nets FROM users u, access_type t WHERE u.ID_access_type =
t.ID_access and ( t.%Ls = 1 ) and u.mail = '%u'
This one should validate all mail addresses when the protocol used is
marked as 1 in table access_type and when the allow_nets value in this
same table contains the IP used for the access request. The, if
access_type looks like:
ID_access pop3 imap allow_nets
3 0 1 10.34.128.0/23, 10.34.133.0/24, 192.168.0.0/24
users with ID_access=3 fail to login by either pop3 (normal, value is 0)
or imap. Here is the corresponding excerpt from dovecot.log:
dovecot: 2008-03-31 11:29:04 Info: auth-worker(default):
sql(user at domain.com,10.34.133.104): query: SELECT u.password as
password, t.allow_nets as allow_nets FROM users u, access_type t WHERE
u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail =
'user at domain.com'
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default):
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network
192.168.0.0/24
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default):
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network
10.34.128.0/23
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default):
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network
10.34.133.0/23
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default):
passdb(user at domain.com,10.34.133.104): allow_nets check failed: IP not
in allowed networks
but if it looks like
ID_access pop3 imap allow_nets
3 0 1 10.34.133.105, 10.34.133.104
then access is allowed by IMAP
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default):
sql(user at domain.com,10.34.133.104): query: SELECT u.password as
password, t.allow_nets as allow_nets FROM users u, access_type t WHERE
u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail =
'user at domain.com'
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default):
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network
10.34.133.105
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default):
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network
10.34.133.104
dovecot: 2008-03-31 11:34:01 Info: auth(default): client out: OK
1 user=user at domain.com
while POP3 still disallowed as expected:
dovecot: 2008-03-31 11:34:25 Info: auth-worker(default):
sql(user at domain.com,10.34.133.104): query: SELECT u.password as
password, t.allow_nets as allow_nets FROM users u, access_type t WHERE
u.ID_access_type = t.ID_access and ( t.pop3 = 1 ) and u.mail =
'user at domain.com'
dovecot: 2008-03-31 11:34:25 Info: auth-worker(default):
sql(user at domain.com,10.34.133.104): unknown user
So, is there a bug related to the IP class notation or am I doing
something wrong? I have tried to leave a single class (10.34.133.0/24),
to explicitly erase any spaces after the commas, but nothing of these
worked. Also, note that using 0.0.0.0/0 behaves as expected, this is,
access for any IP is allowed.
Thanks in advance,
Javier
More information about the dovecot
mailing list