Conditionally disabling auth policy
Marcus Rueckert
darix at opensu.se
Wed Sep 27 20:03:43 EEST 2017
On 2017-09-27 16:57:44 +0000, Mark Moseley wrote:
> I've been digging into the auth policy stuff with weakforced lately. There
> are cases (IP ranges, so could be wrapped up in remote {} blocks) where
> it'd be nice to skip the auth policy (internal hosts that I can trust, but
> that are hitting the same servers as the outside world).
>
> Is there any way to disable auth policy, possibly inside a remote{}?
>
> auth_policy_server_url complains that it can't be used inside a remote
> block, so no dice there. Anything I'm missing?
>From my config:
```
allowed_subnets=newNetmaskGroup()
allowed_subnets:addMask('fe80::/64')
allowed_subnets:addMask('127.0.0.0/8')
[snip]
if (not(allowed_subnets.match(lt.remote)))
-- do GeoIP check
end
```
of course could just skip all checks in that case if really wanted. but
you probably want to be careful not to skip too many checks otherwise
the attack moves from your imap port e.g. to your webmailer.
darix
--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org
More information about the dovecot
mailing list