[Dovecot] feature request: deny IP address via database

Bill Cole dovecot-20061108 at billmail.scconsult.com
Mon Apr 7 23:58:54 EEST 2008


At 12:20 PM -0400 4/7/08, Dave McGuire wrote:
>   Hey folks.  One feature I'd really like to see in dovecot is the 
>ability to point it at a database (with a configurable query) and 
>have it allow or deny a connection based on looking up the source IP 
>address in that database.
>
>   I run Postfix, and I've got it configured to use a database server 
>for its smtpd_client_restrictions checks.  Ideally I'd like to point 
>dovecot at the same database table.  I have external tools that 
>maintain that table.
>
>   I was thinking of writing it myself, but I'm running 1.0.10; I'd 
>assume that any such modifications would need to be rewritten for 
>1.1.  Then I got to thinking that such functionality would likely be 
>useful to people other than just me, so..
>
>   Thoughts?

Is there any reason to do this at the application layer rather than 
the network layer for Dovecot?

Note that using smtpd_client_restrictions in Postfix *does not* make 
it deny connections, it just makes it reject mail that is offered on 
connections. It seems to me that for SMTP it is fairly normal to have 
IP space that you'd want to reject mail from conditionally, such as 
depending on whether/how the client authenticates or to allow mail to 
standard role accounts. That sort of conditionality that is only 
possible at the application layer makes an argument for 
smtpd_client_restrictions in Postfix in some cases rather than 
blocking at the network layer (i.e. a packet filter on the host of an 
external firewall.) I don't see the same sort of cases for IMAP or 
POP where you'd want to share a list of not-quite-totally-evil IP 
addresses with Postfix or anything else, rather than just barring 
access completely.

It is possible to restrict specific users to login via specific 
networks by using a custom PAM module, the allow_nets extra 
authentication field, or a custom checkpassword script. You also 
*might* be able to build a SQL query string using the %r variable and 
some sort of conditional logic so that authentication from 'bad' IP's 
fails.


-- 
Bill Cole                                  
bill at scconsult.com



More information about the dovecot mailing list