> > You are running some kind of proxy in front of it.No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail.> If you want it to show real client IP, you need to enable forwarding of > said data. With dovecot it's done by setting > > login_trusted_networks = your-upstream-host-or-net > > in backend config file. >OK I changed it and restarted wforce and dovecot. Still seeing this: Apr 12 14:38:55 auth: Debug: policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON: {"device_id":"","login":" ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}> For webmails, this requires both login_trusted_networks and also support > from the webmail software to forward client IP. >I did get a reply from the Squirrelmail list: "Well, I've had code sitting around for a while that implements RFC2971 (ID command), so I just committed it. You can use it for this purpose by putting something like this into your config/config_local.php $imap_id_command_args = array('remote-host' => '###REMOTE ADDRESS###');" Which I also added previously. But that doesn't address emacs/RMail users. Could there be a setting in sendmail.mc/cf file that I'm missing? -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190412/9ada940d/attachment.html>
> On 12 April 2019 21:45 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote: > > > > You are running some kind of proxy in front of it. > > No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > > > If you want it to show real client IP, you need to enable forwarding of said data. With dovecot it's done by setting > > > > login_trusted_networks = your-upstream-host-or-net > > > > in backend config file. > > OK I changed it and restarted wforce and dovecot. Still seeing this: > Apr 12 14:38:55 auth: Debug: policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON: {"device_id":"","login":" ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > > > For webmails, this requires both login_trusted_networks and also support from the webmail software to forward client IP. > > I did get a reply from the Squirrelmail list: > "Well, I've had code sitting around for a while that implements RFC2971 (ID command), so I just committed it. You can use it for this purpose by putting something like this into your config/config_local.php > $imap_id_command_args = array('remote-host' => '###REMOTE ADDRESS###');" > > Which I also added previously. But that doesn't address emacs/RMail users. > > Could there be a setting in sendmail.mc/cf (http://sendmail.mc/cf) file that I'm missing?Can you verify following? doveconf auth_policy_request_attributes auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s On some versions remote is mistakenly %{real_rip} which expands into where the connection came from instead of client IP. If it's wrong just feel free to copypaste the setting above into dovecot config. Aki Aki
> > > On 12 April 2019 21:45 Robert Kudyba via dovecot <dovecot at dovecot.org> > wrote: > > > > > > > You are running some kind of proxy in front of it. > > > > No proxy. Just sendmail with users using emacs/Rmail or > Webmail/Squirrelmail. > > > > > If you want it to show real client IP, you need to enable forwarding > of said data. With dovecot it's done by setting > > > > > > login_trusted_networks = your-upstream-host-or-net > > > > > > in backend config file. > > > > OK I changed it and restarted wforce and dovecot. Still seeing this: > > Apr 12 14:38:55 auth: Debug: > policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON: > {"device_id":"","login":" > ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false} > > > > > For webmails, this requires both login_trusted_networks and also > support from the webmail software to forward client IP. > > > > I did get a reply from the Squirrelmail list: > > "Well, I've had code sitting around for a while that implements RFC2971 > (ID command), so I just committed it. You can use it for this purpose by > putting something like this into your config/config_local.php > > $imap_id_command_args = array('remote-host' => '###REMOTE ADDRESS###');" > > > > Which I also added previously. But that doesn't address emacs/RMail > users. > > > > Could there be a setting in sendmail.mc/cf ( > https://urldefense.proofpoint.com/v2/url?u=http-3A__sendmail.mc_cf&d=DwICaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=CsaMqvBelGXz-_ClT0RDzwqz0tH3cTGNItJktQeULLs&s=JnUd5ej3Twniz2q3fiWUrV_qOFlAwvFHquFjfgsoQJ0&e=) > file that I'm missing? > > Can you verify following? > > doveconf auth_policy_request_attributes > > auth_policy_request_attributes = login=%{requested_username} > pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s > > On some versions remote is mistakenly %{real_rip} which expands into where > the connection came from instead of client IP. > > If it's wrong just feel free to copypaste the setting above into dovecot > config. >Verified. I believe you told me that on the other thread and I made that change a while back. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190412/f28b1aae/attachment.html>