Hello all,
I am testing my dovecot installation in order to restrict access via POP3 for IPs outside my network. I have read and understood the instructions in the wiki and I have reached a configuration that works ONLY when single IPs are listed in allow_nets but not when ranges in the notation x.x.x.x/y are listed. Some examples should be more explanatory. I am using 1.0.rc15 patched as for last week as distributed in Debian etch.
First of all, everything related to this is stored in a MySQL database, here is my password query:
password_query = SELECT u.password as password, t.allow_nets as allow_nets FROM users u, access_type t WHERE u.ID_access_type = t.ID_access and ( t.%Ls = 1 ) and u.mail = '%u'
This one should validate all mail addresses when the protocol used is marked as 1 in table access_type and when the allow_nets value in this same table contains the IP used for the access request. The, if access_type looks like:
ID_access pop3 imap allow_nets 3 0 1 10.34.128.0/23, 10.34.133.0/24, 192.168.0.0/24
users with ID_access=3 fail to login by either pop3 (normal, value is 0) or imap. Here is the corresponding excerpt from dovecot.log:
dovecot: 2008-03-31 11:29:04 Info: auth-worker(default): sql(user@domain.com,10.34.133.104): query: SELECT u.password as password, t.allow_nets as allow_nets FROM users u, access_type t WHERE u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail = 'user@domain.com' dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): auth(user@domain.com,10.34.133.104): allow_nets: Matching for network 192.168.0.0/24 dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): auth(user@domain.com,10.34.133.104): allow_nets: Matching for network 10.34.128.0/23 dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): auth(user@domain.com,10.34.133.104): allow_nets: Matching for network 10.34.133.0/23 dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): passdb(user@domain.com,10.34.133.104): allow_nets check failed: IP not in allowed networks
but if it looks like
ID_access pop3 imap allow_nets 3 0 1 10.34.133.105, 10.34.133.104
then access is allowed by IMAP
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default):
sql(user@domain.com,10.34.133.104): query: SELECT u.password as
password, t.allow_nets as allow_nets FROM users u, access_type t WHERE
u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail =
'user@domain.com'
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default):
auth(user@domain.com,10.34.133.104): allow_nets: Matching for network
10.34.133.105
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default):
auth(user@domain.com,10.34.133.104): allow_nets: Matching for network
10.34.133.104
dovecot: 2008-03-31 11:34:01 Info: auth(default): client out: OK
1 user=user@domain.com
while POP3 still disallowed as expected:
dovecot: 2008-03-31 11:34:25 Info: auth-worker(default): sql(user@domain.com,10.34.133.104): query: SELECT u.password as password, t.allow_nets as allow_nets FROM users u, access_type t WHERE u.ID_access_type = t.ID_access and ( t.pop3 = 1 ) and u.mail = 'user@domain.com' dovecot: 2008-03-31 11:34:25 Info: auth-worker(default): sql(user@domain.com,10.34.133.104): unknown user
So, is there a bug related to the IP class notation or am I doing something wrong? I have tried to leave a single class (10.34.133.0/24), to explicitly erase any spaces after the commas, but nothing of these worked. Also, note that using 0.0.0.0/0 behaves as expected, this is, access for any IP is allowed.
Thanks in advance,
Javier