On Mon, Oct 31, 2016 at 12:35:02PM -0700, Stephen Hanselman wrote:

Good Morning,

Can someone point me to the area in Dovecot that deals with incoming IP addresses. Specifically I want to determine if it is possible to "spoof" the address or is the address I look at in the headers the actual address that made the connection request (hopefully it is).

I can't point you to a section of code since I'm not familiar with the Dovecot codebase, but I can provide a bit of insight.

It's quite possible to spoof source IP addresses on the internet. It's quite a complicated and deep topic1, but it is very much a real thing. Since this is at the network level, Dovecot has no way of detecting or preventing this. Thankfully, it's much more complicated to actually _receive_ packets intended for an IP you don't control, so IP spoofing is used primarily for making DDoS attacks harder to block. I can't find the talk that gave this number, but I recall someone claiming 27% of ISPs did not take adequate steps to prevent IP spoofing on their networks.

I'm curious what your goal is. IP addresses are not generally an acceptable means of identification, which is why Dovecot supports real authentication mechanisms like SASL. So what are you trying to do?

--Sean