[imp] pass client ip during authentication

Systeembeheer BCS adje at bezoekerscentrumsonsbeek.nl
Thu Sep 25 11:44:09 UTC 2014


Citeren Arjen de Korte <arjen+horde at de-korte.org>:

> Citeren Systeembeheer BCS <adje at bezoekerscentrumsonsbeek.nl>:
>
>> Citeren Arjen de Korte <arjen+horde at de-korte.org>:
>>
>>> Citeren Systeembeheer BCS <adje at bezoekerscentrumsonsbeek.nl>:
>>>
>>>> Using imp for authentication with dovecot IMAP, working fine. But now I
>>>> would like to make use of dovecot's allow_nets feature to restrict
>>>> logins from certain ip's. To make that work, imp should pass the
>>>> client's ip (as seen by apache) to dovecot during authentication, but
>>>> instead it passes 127.0.0.1 for both lip and rip. Any way to change
>>>> this?
>>>
>>> No. Horde doesn't pass the connecting IP to Dovecot. This is determined
>>> by Dovecot itself, by looking at the local and remote IP for the socket
>>> that is used for communication.
>>
>> Ah, thanks. Looks like I have to switch to another auth mechanism  
>> instead to get this working.
>
> What are you trying to accomplish? Do you want to restrict the IP's  
> from where your users can connect to Horde? In that case, a  
> .htaccess file placed in the directory where Horde lives may be what  
> you're looking for:


Not exactly. What I try to achieve is that while all accounts should  
be accessible from machines within our lan ip range, only some  
accounts should be able to login from the outside world as well  
(coming from ip's outside our lan range). So I need to restrict access  
to accounts based upon an ip range. Dovecot's allow_nets feature would  
do just that but because all imp logins come from localhost instead of  
from the client ip, I can not use it.

>
> # ALLOW USER BY IP
> <Limit GET POST>
>  order deny,allow
>  deny from all
>  allow from 192.168.4.0/24
> </Limit>
>
> This will allow everyone from the 192.168.4.0/24 network access and  
> denies all others.
>
> -- 
> This message was sent from a mailinglist subscription address.
> For off-list replies, you must remove the address extension.





More information about the imp mailing list