Suggestion: Split login_trusted_networks

Timo Sirainen tss at iki.fi
Tue Jun 28 21:49:56 UTC 2016


On 27 Jun 2016, at 15:46, Peter Mogensen <apm at one.com> wrote:
> 
> Hi,
> 
> For the upcoming 2.3 development, I'd like to re-suggest this:
> 
> It seems the use of login_trusted_networks is overloaded.
> 
> Example:
> * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy)
> * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail)
> 
> Often these two uses cases have a different set of hosts.
> 
> So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks.

Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example:

passdb {
  driver = passwd-file
  args = username_format=%{lip} /etc/dovecot/passdb
}

127.0.0.1:::::::nodelay=yes

So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks.

Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide.



More information about the dovecot mailing list