dovecot - Apr 2008 - feature request: deny IP address via database

Hey folks.  One feature I'd really like to see in dovecot is the  
ability to point it at a database (with a configurable query) and  
have it allow or deny a connection based on looking up the source IP  
address in that database.

   I run Postfix, and I've got it configured to use a database server  
for its smtpd_client_restrictions checks.  Ideally I'd like to point  
dovecot at the same database table.  I have external tools that  
maintain that table.

   I was thinking of writing it myself, but I'm running 1.0.10; I'd  
assume that any such modifications would need to be rewritten for  
1.1.  Then I got to thinking that such functionality would likely be  
useful to people other than just me, so..

   Thoughts?

             -Dave

-- 
Dave McGuire
Port Charlotte, FL

At 12:20 PM -0400 4/7/08, Dave McGuire wrote:
>   Hey folks.  One feature I'd really like to see in dovecot is the 
>ability to point it at a database (with a configurable query) and 
>have it allow or deny a connection based on looking up the source IP 
>address in that database.
>
>   I run Postfix, and I've got it configured to use a database server 
>for its smtpd_client_restrictions checks.  Ideally I'd like to point 
>dovecot at the same database table.  I have external tools that 
>maintain that table.
>
>   I was thinking of writing it myself, but I'm running 1.0.10; I'd 
>assume that any such modifications would need to be rewritten for 
>1.1.  Then I got to thinking that such functionality would likely be 
>useful to people other than just me, so..
>
>   Thoughts?
Is there any reason to do this at the application layer rather than 
the network layer for Dovecot?

Note that using smtpd_client_restrictions in Postfix *does not* make 
it deny connections, it just makes it reject mail that is offered on 
connections. It seems to me that for SMTP it is fairly normal to have 
IP space that you'd want to reject mail from conditionally, such as 
depending on whether/how the client authenticates or to allow mail to 
standard role accounts. That sort of conditionality that is only 
possible at the application layer makes an argument for 
smtpd_client_restrictions in Postfix in some cases rather than 
blocking at the network layer (i.e. a packet filter on the host of an 
external firewall.) I don't see the same sort of cases for IMAP or 
POP where you'd want to share a list of not-quite-totally-evil IP 
addresses with Postfix or anything else, rather than just barring 
access completely.

It is possible to restrict specific users to login via specific 
networks by using a custom PAM module, the allow_nets extra 
authentication field, or a custom checkpassword script. You also 
*might* be able to build a SQL query string using the %r variable and 
some sort of conditional logic so that authentication from 'bad'
IP's
fails.


-- 
Bill Cole                                  
bill at scconsult.com

Written by Bill Cole on Apr 7, 2008, at 4:58 PM:
>>  Hey folks.  One feature I'd really like to see in dovecot is the  
>> ability to point it at a database (with a configurable query) and  
>> have it allow or deny a connection based on looking up the source  
>> IP address in that database.
... much stuff discarded.

I understand that the behaviour requested is similar to that of allow_nets
(http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets) but modified to
explicitly deny some IPs (individually or in the range form). If so, probably
some of the work should be already done. Sorry, I do not have the programming
abilities enough to face this.
Incidentally, I would like to notice that I opened a thread a few days ago
regarding allow_nets and database (Bill's request needs to make use of an
external database too) because I am not able to make allow_nets work properly
when using an external DB *and IP ranges*. Maybe Bill would like to block single
IPs so this bug? wold not apply to his case if an extension or adaptation of
allow_nets is done. (My request, in case someone out there is curious:
"Allow_nets + MySQL failing when using range notation")

Regards,

Javier

On Mon, 2008-04-07 at 12:20 -0400, Dave McGuire wrote:
> Hey folks.  One feature I'd really like to see in dovecot is the  
> ability to point it at a database (with a configurable query) and  
> have it allow or deny a connection based on looking up the source IP  
> address in that database.
passdb sql {
  args = dovecot-sql-deny.conf
  deny = yes
}

Where the dovecot-sql-deny.conf has something like:

password_query = select 1 from deny_ips where ip = '%r'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080408/51680baf/attachment-0002.bin>