On Mon, 26 Sep 2005, Tom Alsberg wrote:
I do not recall there being a PAM item for IP address, but just for the remote hostname - rhost, which may be any string received by the application, and is only by convention expected to be the address of the client.
yeah pam is unfortunately the real problem here -- pam should support both the numeric IP and the text name. the IP address is absolutely essential for forensic analysis, however humans tend to want to read a text name...
but the text name is quite untrustworthy: even a double-reverse check is insufficient in the cases where an attacker has control over dns servers... how do you figure out what network block the attack came from after the fact if the dns has been changed again?
just write a patch for that (will probably make it configurable in dovecot.conf whether the PAM rhost item passed will be a hostname or IP address).
this is what i've done to other daemons... and i run with them in IP address mode instead.
my old patch for PAM_RHOST for 0.99.x didn't even do DNS lookups.
-dean