At 12:20 PM -0400 4/7/08, Dave McGuire wrote:
Hey folks. One feature I'd really like to see in dovecot is the ability to point it at a database (with a configurable query) and have it allow or deny a connection based on looking up the source IP address in that database.
I run Postfix, and I've got it configured to use a database server for its smtpd_client_restrictions checks. Ideally I'd like to point dovecot at the same database table. I have external tools that maintain that table.
I was thinking of writing it myself, but I'm running 1.0.10; I'd assume that any such modifications would need to be rewritten for 1.1. Then I got to thinking that such functionality would likely be useful to people other than just me, so..
Thoughts?
Is there any reason to do this at the application layer rather than the network layer for Dovecot?
Note that using smtpd_client_restrictions in Postfix *does not* make it deny connections, it just makes it reject mail that is offered on connections. It seems to me that for SMTP it is fairly normal to have IP space that you'd want to reject mail from conditionally, such as depending on whether/how the client authenticates or to allow mail to standard role accounts. That sort of conditionality that is only possible at the application layer makes an argument for smtpd_client_restrictions in Postfix in some cases rather than blocking at the network layer (i.e. a packet filter on the host of an external firewall.) I don't see the same sort of cases for IMAP or POP where you'd want to share a list of not-quite-totally-evil IP addresses with Postfix or anything else, rather than just barring access completely.
It is possible to restrict specific users to login via specific networks by using a custom PAM module, the allow_nets extra authentication field, or a custom checkpassword script. You also *might* be able to build a SQL query string using the %r variable and some sort of conditional logic so that authentication from 'bad' IP's fails.
--
Bill Cole
bill@scconsult.com