Suggestion: Split login_trusted_networks
Timo Sirainen
tss at iki.fi
Tue Jun 28 21:49:56 UTC 2016
On 27 Jun 2016, at 15:46, Peter Mogensen <apm at one.com> wrote:
>
> Hi,
>
> For the upcoming 2.3 development, I'd like to re-suggest this:
>
> It seems the use of login_trusted_networks is overloaded.
>
> Example:
> * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy)
> * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail)
>
> Often these two uses cases have a different set of hosts.
>
> So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks.
Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example:
passdb {
driver = passwd-file
args = username_format=%{lip} /etc/dovecot/passdb
}
127.0.0.1:::::::nodelay=yes
So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks.
Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide.
More information about the dovecot
mailing list