-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear dovecot developers, first: thanks for this really cool imapd, on my server it serves some hundred domains, all in all some thousand users, some having hundred thousand mails in their Maildirs (their spam boxes mostly). Since I put this installation in an FreeBSD geli encrypted disc image I had no choice but to choose an imapd with clever indexes - dovecot was perfect. However, since I reconfigured the disc image to work as a FreeBSD jail, I had some trouble with my web mail solution. Squirrelmail does not work with imaps (or at least not smoothly, out of the box, or whatever) and I didn't like to hack php to support SSL. Plus: there is no point in using ssl for a local connection. In a FreeBSD jail a sockets source address is always rewritten to the jails address, so squirrelmail opening a connection to dovecot will not come from 127.0.0.1 but from the same (jails) address, dovecot listens to. Still, dovecot only considers 'localhost' addresses as secure and allows LOGIN or PLAIN auth. With the little patch below dovecot allows clients from the jail to authenticate via LOGIN, when they connect from the IP it accepts connections at. Something similar is lurking around in pop3 auth code, I am sure, you get the point. Regards erdgeist ======== 8< ======== 8< ======== 8< ======== 8< ======== 8< ======== 8< dovecot-1.0.rc1/src/imap-login 18:59:44 #> diff -u client.c* - --- client.c Thu Jun 29 18:59:39 2006 +++ client.c_new Thu Jun 29 18:59:19 2006 @@ -411,7 +411,7 @@ const struct ip_addr *ip) { struct imap_client *client; - - const char *addr; + const char *addr, *local_addr; if (max_logging_users > CLIENT_DESTROY_OLDEST_COUNT && hash_size(clients) >= max_logging_users) { @@ -429,8 +429,10 @@ client->common.tls = ssl; addr = net_ip2addr(ip); + local_addr = net_ip2addr(local_ip); client->common.secured = ssl || (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) || + (IPADDR_IS_V4(ip) && strncmp(addr, local_addr, strlen(local_addr)) == 0) || (IPADDR_IS_V6(ip) && (strcmp(addr, "::1") == 0 || strncmp(addr, "::ffff:127.", 11) == 0)); -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFEpAu4ImmQdUyYEgkRAnC8AJ9W3L5XwjdTuLvGfUwmIjEfyq8sAQCdErPc v6JW46e9dfYBsKzAWprg2zw=/IWt -----END PGP SIGNATURE-----
Dirk Engling wrote:> client->common.secured = ssl || > (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) || > + (IPADDR_IS_V4(ip) && strncmp(addr, local_addr, > strlen(local_addr)) == 0) || > (IPADDR_IS_V6(ip) && (strcmp(addr, "::1") == 0 || > strncmp(addr, "::ffff:127.", 11) > == 0));Is there any portable way to test if the connection goes through the loopback interface? Cheers, -jkt -- cd /local/pub && more beer > /dev/mouth -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20060630/bee4cc50/attachment.bin>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear dovecot developers, first: thanks for this really cool imapd, on my server it serves some hundred domains, all in all some thousand users, some having hundred thousand mails in their Maildirs (their spam boxes mostly). Since I put this installation in an FreeBSD geli encrypted disc image I had no choice but to choose an imapd with clever indexes - dovecot was perfect. However, since I reconfigured the disc image to work as a FreeBSD jail, I had some trouble with my web mail solution. Squirrelmail does not work with imaps (or at least not smoothly, out of the box, or whatever) and I didn't like to hack php to support SSL. Plus: there is no point in using ssl for a local connection. In a FreeBSD jail a sockets source address is always rewritten to the jails address, so squirrelmail opening a connection to dovecot will not come from 127.0.0.1 but from the same (jails) address, dovecot listens to. Still, dovecot only considers 'localhost' addresses as secure and allows LOGIN or PLAIN auth. With the little patch below dovecot allows clients from the jail to authenticate via LOGIN, when they connect from the IP it accepts connections at. Something similar is lurking around in pop3 auth code, I am sure, you get the point. Regards erdgeist ======== 8< ======== 8< ======== 8< ======== 8< ======== 8< ======== 8< dovecot-1.0.rc1/src/imap-login 18:59:44 #> diff -u client.c* - --- client.c Thu Jun 29 18:59:39 2006 +++ client.c_new Thu Jun 29 18:59:19 2006 @@ -411,7 +411,7 @@ const struct ip_addr *ip) { struct imap_client *client; - - const char *addr; + const char *addr, *local_addr; if (max_logging_users > CLIENT_DESTROY_OLDEST_COUNT && hash_size(clients) >= max_logging_users) { @@ -429,8 +429,10 @@ client->common.tls = ssl; addr = net_ip2addr(ip); + local_addr = net_ip2addr(local_ip); client->common.secured = ssl || (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) || + (IPADDR_IS_V4(ip) && strncmp(addr, local_addr, strlen(local_addr)) == 0) || (IPADDR_IS_V6(ip) && (strcmp(addr, "::1") == 0 || strncmp(addr, "::ffff:127.", 11) == 0)); -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFEpmKwImmQdUyYEgkRAmWJAKCISUFtjdwvIZvHucqREHXKmB3s3ACeO7ql phwkh3m/KTjQCKsRetLxORA=VnV4 -----END PGP SIGNATURE-----
On Thu, 2006-06-29 at 19:19 +0200, Dirk Engling wrote:> addr = net_ip2addr(ip); > + local_addr = net_ip2addr(local_ip); > client->common.secured = ssl || > (IPADDR_IS_V4(ip) && strncmp(addr, "127.", 4) == 0) || > + (IPADDR_IS_V4(ip) && strncmp(addr, local_addr, > strlen(local_addr)) == 0) || > (IPADDR_IS_V6(ip) && (strcmp(addr, "::1") == 0 || > strncmp(addr, "::ffff:127.", 11) > == 0));Actually all this can be done much more easily: client->common.secured = ssl || net_ip_compare(ip, local_ip); -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20060701/f5adbbf1/attachment.bin>