On Tue, 28 Dec 2021, Jaroslaw Rafa via mailop wrote:
Dnia 28.12.2021 o godz. 07:17:43 Michael Peddemors via mailop pisze:
For us, the security value of passing the originating IP to the
Dovecot or SMTP layers for auth restrictions is paramount, as well
as other details on the originating sender. (Country AUTH
restrictions, OS Detection, and many more)
Can't these restrictions be just moved from Dovecot/Postfix to Roundcube
itself? Roundcube definitely knows the value of the $_SERVER["REMOTE_ADDR"]
variable and can make use of it...
If a provider makes both IMAP and Roundcube access available, any
restrictions implemented on Roundcube would need to be duplicated
on the IMAP service.
It is Roundcube that is actually connecting to Dovecot/Postfix and
receiving/sending mail, not the user's browser, so the connecting IP that
Dovecot/Postfix gets is technically correct. No need to change it. On the
other hand, user's browser is talking HTTP to Roundcube, and Roundcube knows
it's IP address, so Roundcube is the point where restrictions should be
enforced, not Dovecot/Postfix.
*If* I understand correctly, Roundcube allows a user to interact with
multiple mail-boxes, in which case Roundcube may not be under control
of the same organisation as the IMAP account.
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
