Hi, For the upcoming 2.3 development, I'd like to re-suggest this: It seems the use of login_trusted_networks is overloaded. Example: * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy) * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail) Often these two uses cases have a different set of hosts. So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks. /Peter
On 27 Jun 2016, at 15:46, Peter Mogensen <apm at one.com> wrote:> > Hi, > > For the upcoming 2.3 development, I'd like to re-suggest this: > > It seems the use of login_trusted_networks is overloaded. > > Example: > * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy) > * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail) > > Often these two uses cases have a different set of hosts. > > So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks.Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example: passdb { driver = passwd-file args = username_format=%{lip} /etc/dovecot/passdb } 127.0.0.1:::::::nodelay=yes So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks. Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide.
> On 29 Jun 2016, at 00:49, Timo Sirainen <tss at iki.fi> wrote: > > On 27 Jun 2016, at 15:46, Peter Mogensen <apm at one.com> wrote: >> >> Hi, >> >> For the upcoming 2.3 development, I'd like to re-suggest this: >> >> It seems the use of login_trusted_networks is overloaded. >> >> Example: >> * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy) >> * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail) >> >> Often these two uses cases have a different set of hosts. >> >> So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks. > > Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example: > > passdb { > driver = passwd-file > args = username_format=%{lip} /etc/dovecot/passdb%{rip} I meant.> } > > 127.0.0.1:::::::nodelay=yesSo this could be e.g. 192.168.10.123 or something.> > So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks. > > Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide.