(I am sorry to bother the list with something I should have verified myself right now - I simply do not have access to the source code here)
Thinking of some limit I wanted to put with authentication, I am wondering - when Dovecot authenticates a user using PAM, now that (in 1.0) it passes the rhost item to PAM, it passes a hostname, not an IP address.
Does it double-verify the DNS record before it trusts this to be the hostname (first checking the IP address in in_addr.arpa and then checking that the hostname indeed maps back to the same IP address)?
That is necessary in order to trust the client address when determining authentication strength in the PAM module based on the client location (specifically we want stronger authentication when the client comes outside of our network, while inside a plain password suffices), as else anybody could "spoof" the hostname by changing the IN PTR record of his IP address to point back to some "trusted" hostname (given he has control of the DNS zone his host is in, which is completely possible given the server knows nothing about it).
Thanks, -- Tom
-- Tom Alsberg - hacker (being the best description fitting this space) Web page: http://www.cs.huji.ac.il/~alsbergt/ DISCLAIMER: The above message does not even necessarily represent what my fingers have typed on the keyboard, save anything further.