On 2009-03-12, at 1004, Rick Widmer wrote:
Kis Peter wrote:Hi!Is there a way to limit Postmaster account in QmailAdmin to only being able to login from a specific IP address?http://httpd.apache.org/docs/1.3/mod/mod_access.html http://httpd.apache.org/docs/1.3/sections.html
qmailadmin doesn't use HTTP-Authenticate headers to authenticate. the userid, domain, and password are submitted as POST query fields, and POST data is not visible in any way which can be tested within a config file (be it httpd.conf or a .htaccess file.)
so the answer to his question is "no".at least not without modifying the source code. and after thinking about it for a few minutes, and looking at the code, it turns out a patch to make this possible is actually fairly easy.
apache's "SetEnvIf" directive can set environment variables based on several criteria, one of which is the client's IP address. qmailadmin can search for a variable to tell whether to allow domain admin logins or not... and in order to not break anybody's existing qmailadmin install, if the variable doesn't exist, it will allow domain admin logins (as it currently does.) so the variable needs to be a "DENY" variable.
so. we need to add some code to qmailadmin which, if the userid is "postmaster" or has the domain-admin flag set (the existing set_admin_type() function already checks this) it will look for an environment variable called "QMAILADMIN_DENY_ADMIN", and if the variable is present, give the user some kind of "access denied" message.
looking at the existing code... hrmmm... that actually wasn't too bad, only two places in the code needed to be changed. it compiles cleanly (well, as cleanly as qmailadmin itself does) and it plays nicely with the onchange.3 patch as well... it's installed and running on my own server, i've tested it, and it works as expected.
i'm not sure exactly where i want to put the patch file on my web site- the "onchange" patch is documented with the vpopmail stuff (since the original "onchange" patch is for vpopmail) but this is for qmailadmin only... i'll probably start a qmailadmin page on the site, but for now you can get the patch here:
http://qmail.jms1.net/patches/qmailadmin-1.2.12-deny-admin.patchof course, the other side of the equation is to make apache set the environment variable for all IP addresses EXCEPT the ones you trust. this is the general idea:
SetEnvIf Remote_Addr . QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^192\.168\.5\. !QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^207\.30\.xx\.xxx$ !QMAILADMIN_DENY_ADMINthese lines can be added to a .htaccess file in the directory containing the qmailadmin executable. you don't need to restart apache when creating or updating this file.
the first line creates the QMAILADMIN_DENY_ADMIN variable, for every connection. you might think you could use "SetEnv" for this, but it doesn't work because SetEnv is processed after SetEnvIf, so anything created by SetEnv will overwrite anything else.
the second line removes the variable (thereby allowing postmaster logins) if the client's IP starts with "192.168.5." ... this is typical for a small home or office network, obviously adjust for your own needs.
the third line removes the variable for one specific IP address. this might be for a system administrator with a static IP, for example. i just added it in there to show how you can "trust" more than one IP or block of IPs.
enjoy. ---------------------------------------------------------------- | John M. Simpson --- KG4ZOW --- Programmer At Large | | http://www.jms1.net/ <[email protected]> | ---------------------------------------------------------------- | http://video.google.com/videoplay?docid=-1656880303867390173 | ----------------------------------------------------------------
PGP.sig
Description: This is a digitally signed message part
!DSPAM:49ba5a0632688014452308!
