On 2017-09-27 16:57:44 +0000, Mark Moseley wrote:
I've been digging into the auth policy stuff with weakforced lately. There are cases (IP ranges, so could be wrapped up in remote {} blocks) where it'd be nice to skip the auth policy (internal hosts that I can trust, but that are hitting the same servers as the outside world).
Is there any way to disable auth policy, possibly inside a remote{}?
auth_policy_server_url complains that it can't be used inside a remote block, so no dice there. Anything I'm missing?
From my config:
allowed_subnets=newNetmaskGroup()
allowed_subnets:addMask('fe80::/64')
allowed_subnets:addMask('127.0.0.0/8')
[snip]
if (not(allowed_subnets.match(lt.remote)))
-- do GeoIP check
end
of course could just skip all checks in that case if really wanted. but you probably want to be careful not to skip too many checks otherwise the attack moves from your imap port e.g. to your webmailer.
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org