Suggestion: Split login_trusted_networks
Timo Sirainen
tss at iki.fi
Tue Jun 28 21:52:51 UTC 2016
> On 29 Jun 2016, at 00:49, Timo Sirainen <tss at iki.fi> wrote:
>
> On 27 Jun 2016, at 15:46, Peter Mogensen <apm at one.com> wrote:
>>
>> Hi,
>>
>> For the upcoming 2.3 development, I'd like to re-suggest this:
>>
>> It seems the use of login_trusted_networks is overloaded.
>>
>> Example:
>> * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy)
>> * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail)
>>
>> Often these two uses cases have a different set of hosts.
>>
>> So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks.
>
> Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example:
>
> passdb {
> driver = passwd-file
> args = username_format=%{lip} /etc/dovecot/passdb
%{rip} I meant.
> }
>
> 127.0.0.1:::::::nodelay=yes
So this could be e.g. 192.168.10.123 or something.
>
> So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks.
>
> Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide.
More information about the dovecot
mailing list