On Saturday, June 28, 2008 12:30 PM Sam Varshavchik wrote: Thank you for such a speedy, informative and conclusive reply even if it wasn't what I wanted to hear!
BTW, your reply came through as a text file attachment rather than plain text in the body of the email. >> i.e. All I really want to be able to do is add a client ip address field >> to the postfix_users MySQL table that if completed will only allow >> that user id/password to connect from the stated client ip address. > The authentication library has no knowledge of the client's IP address. > authdaemond runs as a separate process, and receives only the login ID > and the password, for validation purposes. > >> I am sure I can't be the first person with this requirement but I have > Yes, you're probably the third or the fourth, over the last ~4 years. This > is a somewhat rare, and specialized, requirement. > Right, OK. Ummm, then maybe I am suggesting an unusal approach to addressing what I am sure has to be a fairly common security concern? My aim is to prevent employees, unless specifically authorised, from connecting on their home PC to our publically accessible mail server using the user id and password on their office PC. Surely this can't be a "third or fourth person, over the last ~4 years requirement"? Maybe there is a better way of achieving the same aim without involving the client IP? >> searched everywhere for a possible implementation and can't find anything >> so will be really grateful if anyone out there can tell me how. Thanks > The only way to do this right now is to have a wrapper for the imapd and > the pop3d process that checks the environment variables, before invoking > imapd. > By this time, the userid and the password has been validated, but the > response has not been sent, so the wrapper can check the IP address, and > abort if necessary. > I understand the concept but wrappers are beyond my technical expertise. I don't suppose you are aware of any tutorial on the internet which would explain how to create such a wrapper? Or is there anyone out there who has written such a wrapper? Also, the wrapper would also need access to the IMAP user id just validated as I would still want to allow access from *any* IP address to certain user ids. Could it be that people with my requirement are using a different authentication layer? Is it just the Courier authdaemond that is unaware of the IP address? Is there another common authentication layer that I could use instead that would allow me to test the client IP in conjunction with user id & password? Thank you for your help. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
