dovecot - Mar 2008 - Allow_nets + MySQL failing when using range notation

Hello all,

I am testing my dovecot installation in order to restrict access via 
POP3 for IPs outside my network. I have read and understood the 
instructions in the wiki and I have reached a configuration that works 
ONLY when single IPs are listed in allow_nets but not when ranges in the 
notation x.x.x.x/y are listed. Some examples should be more explanatory. 
I am using 1.0.rc15 patched as for last week as distributed in Debian etch.

First of all, everything related to this is stored in a MySQL database, 
here is my password query:

password_query = SELECT u.password as password, t.allow_nets as 
allow_nets FROM users u, access_type t WHERE u.ID_access_type = 
t.ID_access and ( t.%Ls = 1 ) and u.mail = '%u'

This one should validate all mail addresses when the protocol used is 
marked as 1 in table access_type and when the allow_nets value in this 
same table contains the IP used for the access request. The, if 
access_type looks like:

ID_access 	pop3 	imap 	allow_nets
3 	0 	1 	10.34.128.0/23, 10.34.133.0/24, 192.168.0.0/24


users with ID_access=3 fail to login by either pop3 (normal, value is 0) 
or imap. Here is the corresponding excerpt from dovecot.log:

dovecot: 2008-03-31 11:29:04 Info: auth-worker(default): 
sql(user at domain.com,10.34.133.104): query: SELECT u.password as 
password, t.allow_nets as allow_nets FROM users u, access_type t WHERE 
u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail = 
'user at domain.com'
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): 
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 
192.168.0.0/24
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): 
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 
10.34.128.0/23
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): 
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 
10.34.133.0/23
dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): 
passdb(user at domain.com,10.34.133.104): allow_nets check failed: IP not 
in allowed networks

but if it looks like

ID_access 	pop3 	imap 	allow_nets
3 	0 	1 	10.34.133.105, 10.34.133.104


then access is allowed by IMAP

dovecot: 2008-03-31 11:34:01 Info: auth-worker(default): 
sql(user at domain.com,10.34.133.104): query: SELECT u.password as 
password, t.allow_nets as allow_nets FROM users u, access_type t WHERE 
u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail = 
'user at domain.com'
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default): 
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 
10.34.133.105
dovecot: 2008-03-31 11:34:01 Info: auth-worker(default): 
auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 
10.34.133.104
dovecot: 2008-03-31 11:34:01 Info: auth(default): client out: OK        
1       user=user at domain.com

while POP3 still disallowed as expected:

dovecot: 2008-03-31 11:34:25 Info: auth-worker(default): 
sql(user at domain.com,10.34.133.104): query: SELECT u.password as 
password, t.allow_nets as allow_nets FROM users u, access_type t WHERE 
u.ID_access_type = t.ID_access and ( t.pop3 = 1 ) and u.mail = 
'user at domain.com'
dovecot: 2008-03-31 11:34:25 Info: auth-worker(default): 
sql(user at domain.com,10.34.133.104): unknown user

So, is there a bug related to the IP class notation or am I doing 
something wrong? I have tried to leave a single class (10.34.133.0/24), 
to explicitly erase any spaces after the commas, but nothing of these 
worked. Also, note that using 0.0.0.0/0 behaves as expected, this is, 
access for any IP is allowed.

Thanks in advance,

Javier

On Mon, 2008-03-31 at 12:56 +0200, Javier Garc?a wrote:
> Hello all,
> 
> I am testing my dovecot installation in order to restrict access via 
> POP3 for IPs outside my network. I have read and understood the 
> instructions in the wiki and I have reached a configuration that works 
> ONLY when single IPs are listed in allow_nets but not when ranges in the 
> notation x.x.x.x/y are listed. Some examples should be more explanatory. 
> I am using 1.0.rc15 patched as for last week as distributed in Debian etch.
I don't see any obvious entries in ChangeLog related to this, but it
seems to work correctly in v1.0.13 and v1.1.rc4, so maybe it was just
broken in rc15.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080425/a9da30e7/attachment-0002.bin>

Hello,

Thanks Timo for the response. I will then ask the Debian package 
maintainers on this specific issue.

Regards,
Javier

Timo Sirainen escribi?:
> On Mon, 2008-03-31 at 12:56 +0200, Javier Garc?a wrote:
>   
>> Hello all,
>>
>> I am testing my dovecot installation in order to restrict access via 
>> POP3 for IPs outside my network. I have read and understood the 
>> instructions in the wiki and I have reached a configuration that works 
>> ONLY when single IPs are listed in allow_nets but not when ranges in
the
>> notation x.x.x.x/y are listed. Some examples should be more
explanatory.
>> I am using 1.0.rc15 patched as for last week as distributed in Debian
etch.
>>     
>
> I don't see any obvious entries in ChangeLog related to this, but it
> seems to work correctly in v1.0.13 and v1.1.rc4, so maybe it was just
> broken in rc15.
>
>