Javier García
2008-Mar-31 10:56 UTC
[Dovecot] Allow_nets + MySQL failing when using range notation
Hello all, I am testing my dovecot installation in order to restrict access via POP3 for IPs outside my network. I have read and understood the instructions in the wiki and I have reached a configuration that works ONLY when single IPs are listed in allow_nets but not when ranges in the notation x.x.x.x/y are listed. Some examples should be more explanatory. I am using 1.0.rc15 patched as for last week as distributed in Debian etch. First of all, everything related to this is stored in a MySQL database, here is my password query: password_query = SELECT u.password as password, t.allow_nets as allow_nets FROM users u, access_type t WHERE u.ID_access_type = t.ID_access and ( t.%Ls = 1 ) and u.mail = '%u' This one should validate all mail addresses when the protocol used is marked as 1 in table access_type and when the allow_nets value in this same table contains the IP used for the access request. The, if access_type looks like: ID_access pop3 imap allow_nets 3 0 1 10.34.128.0/23, 10.34.133.0/24, 192.168.0.0/24 users with ID_access=3 fail to login by either pop3 (normal, value is 0) or imap. Here is the corresponding excerpt from dovecot.log: dovecot: 2008-03-31 11:29:04 Info: auth-worker(default): sql(user at domain.com,10.34.133.104): query: SELECT u.password as password, t.allow_nets as allow_nets FROM users u, access_type t WHERE u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail = 'user at domain.com' dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 192.168.0.0/24 dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 10.34.128.0/23 dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 10.34.133.0/23 dovecot: 2008-03-31 11:26:39 Info: auth-worker(default): passdb(user at domain.com,10.34.133.104): allow_nets check failed: IP not in allowed networks but if it looks like ID_access pop3 imap allow_nets 3 0 1 10.34.133.105, 10.34.133.104 then access is allowed by IMAP dovecot: 2008-03-31 11:34:01 Info: auth-worker(default): sql(user at domain.com,10.34.133.104): query: SELECT u.password as password, t.allow_nets as allow_nets FROM users u, access_type t WHERE u.ID_access_type = t.ID_access and ( t.imap = 1 ) and u.mail = 'user at domain.com' dovecot: 2008-03-31 11:34:01 Info: auth-worker(default): auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 10.34.133.105 dovecot: 2008-03-31 11:34:01 Info: auth-worker(default): auth(user at domain.com,10.34.133.104): allow_nets: Matching for network 10.34.133.104 dovecot: 2008-03-31 11:34:01 Info: auth(default): client out: OK 1 user=user at domain.com while POP3 still disallowed as expected: dovecot: 2008-03-31 11:34:25 Info: auth-worker(default): sql(user at domain.com,10.34.133.104): query: SELECT u.password as password, t.allow_nets as allow_nets FROM users u, access_type t WHERE u.ID_access_type = t.ID_access and ( t.pop3 = 1 ) and u.mail = 'user at domain.com' dovecot: 2008-03-31 11:34:25 Info: auth-worker(default): sql(user at domain.com,10.34.133.104): unknown user So, is there a bug related to the IP class notation or am I doing something wrong? I have tried to leave a single class (10.34.133.0/24), to explicitly erase any spaces after the commas, but nothing of these worked. Also, note that using 0.0.0.0/0 behaves as expected, this is, access for any IP is allowed. Thanks in advance, Javier
Timo Sirainen
2008-Apr-24 23:23 UTC
[Dovecot] Allow_nets + MySQL failing when using range notation
On Mon, 2008-03-31 at 12:56 +0200, Javier Garc?a wrote:> Hello all, > > I am testing my dovecot installation in order to restrict access via > POP3 for IPs outside my network. I have read and understood the > instructions in the wiki and I have reached a configuration that works > ONLY when single IPs are listed in allow_nets but not when ranges in the > notation x.x.x.x/y are listed. Some examples should be more explanatory. > I am using 1.0.rc15 patched as for last week as distributed in Debian etch.I don't see any obvious entries in ChangeLog related to this, but it seems to work correctly in v1.0.13 and v1.1.rc4, so maybe it was just broken in rc15. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080425/a9da30e7/attachment-0002.bin>
Javier García
2008-Apr-25 12:06 UTC
[Dovecot] Allow_nets + MySQL failing when using range notation
Hello, Thanks Timo for the response. I will then ask the Debian package maintainers on this specific issue. Regards, Javier Timo Sirainen escribi?:> On Mon, 2008-03-31 at 12:56 +0200, Javier Garc?a wrote: > >> Hello all, >> >> I am testing my dovecot installation in order to restrict access via >> POP3 for IPs outside my network. I have read and understood the >> instructions in the wiki and I have reached a configuration that works >> ONLY when single IPs are listed in allow_nets but not when ranges in the >> notation x.x.x.x/y are listed. Some examples should be more explanatory. >> I am using 1.0.rc15 patched as for last week as distributed in Debian etch. >> > > I don't see any obvious entries in ChangeLog related to this, but it > seems to work correctly in v1.0.13 and v1.1.rc4, so maybe it was just > broken in rc15. > >