> On 07 Nov 2014, at 12:44, Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 07.11.2014 um 12:30 schrieb Cor Bosman: >>> On 07 Nov 2014, at 12:24, Reindl Harald <h.rei...@thelounge.net> wrote: >>> >>> Am 07.11.2014 um 12:17 schrieb Cor Bosman: >>>> I changed my plugin to use the rcube_utils function, >>>> https://github.com/corbosman/ident >>>> >>>> Reindl has a point though, but that should be changed in that function then >>> >>> it can't >>> >>> the point of "mod_remoteip" is that you never face the phyiscal IP anywhere >>> in the application, not in the logs and not in apache modules like >>> mod_security if they are implemented correctly >>> >>> if you read the mod_remoteip docs careful you see that this header can list >>> more than one address (two proxys between the user and your own proxy which >>> adds his physical client ID) and hence it is important which is your own >>> trusted one nad god beware you try to handle that inside the application >>> and making mistakes if the result is used for authentication and permissions >>> >>> that's why you *never* should deal with that inside a webapp and keep the >>> resposibility by the webserver admin >> >> This plugin's sole purpose is to hint to dovecot what the actual user's ip >> address was that connected to roundcube, instead of roundcube's own ip >> address. That hint could then serve you for further investigation. >> >> I dont know what roundcube itself does with that info, but I dont think it >> does anything 'dangerous' with it > > *but* dovecot may do depending on the configuration because forwarding that > information has the simple reason that otherwise you can't enforce ip based > access lists for webmail users > > finally that means: don't forward untrustable informations to dovecot > > doing so breaks until that happens sane and secure configurations and secure > in that context means nobody but the server admin knows the big picture of > proxies, NAT and access lists and hence is responsible to deal with that - > that's why mod_remoteip exists
Dovecot doesnt. All dovecot does with that information is log the x-forwarded-ip if, and only if, your roundcube server is listed as a host that is allowed to provide that info. I really fail to see the security implications as long as one realises this info is meant as a hint, not absolute fact. It's still slightly more useful than having the roundcube ip listed in your imap logfile. But YMMV. Cor _______________________________________________ Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev
