Hi everyone, I'd like to gather some thoughts on the following issue.
*Problem*By default, roundcube login attempts (imap, smtp) are forwarded to dovecot/postfix without the original client IP that makes the request (possibly true of other webmail software).
This can't benefit from IP-based policies such as dovecot's auth policy <https://doc.dovecot.org/configuration_manual/authentication/auth_policy/>: dovecot/postfix are always going to see localhost, internal reverse proxy's, or roundcube's IP address.
*Possible future solution*There is a long-standing open issue <https://github.com/roundcube/roundcubemail/issues/5334> at roundcube to add /proxy protocol/ support.
This would make dovecot and postfix aware of requesting client IPs. Unfortunately, it doesn't seem like it's going to be merged soon. *Alternative*There is a existing roundcube plugin <https://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip> that adds client IPs to IMAP login attempts made to dovecot (which I've patched <https://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip/-/merge_requests/1> yesterday to send client IP on first IMAP login too).
I've also asked <https://github.com/roundcube/roundcubemail/issues/5334#issuecomment-1001530775> the roundcube community whether this would suffice; that is, if roundcube doesn't have an /unauthenticated/ endpoint for making SMTP login attemps (thus blocking IPs for IMAP could be enough).
*Ideas welcome* Do you use webmails; if so, is this an issue for you as well? Did you find a way to fix or work around it?Do you feel like I'm on the right path here, or lost in a dangerous spacetime?
Thanks a lot in advance, Nico
OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop