Thanks John! I will try to modify the source code of Qmailadmin.
Kis Peter John Simpson <[email protected]> írta: > On 2009-03-12, at 1004, Rick Widmer wrote: > > Kis Peter wrote: > >> Hi! > >> Is there a way to limit Postmaster account in QmailAdmin to > >> only being able to login from a specific IP address? > > > > http://httpd.apache.org/docs/1.3/mod/mod_access.html > > http://httpd.apache.org/docs/1.3/sections.html > > qmailadmin doesn't use HTTP-Authenticate headers to authenticate. the > userid, domain, and password are submitted as POST query fields, and > POST data is not visible in any way which can be tested within a > config file (be it httpd.conf or a .htaccess file.) > > so the answer to his question is "no". > > at least not without modifying the source code. and after thinking > about it for a few minutes, and looking at the code, it turns out a > patch to make this possible is actually fairly easy. > > apache's "SetEnvIf" directive can set environment variables based on > several criteria, one of which is the client's IP address. qmailadmin > can search for a variable to tell whether to allow domain admin logins > or not... and in order to not break anybody's existing qmailadmin > install, if the variable doesn't exist, it will allow domain admin > logins (as it currently does.) so the variable needs to be a "DENY" > variable. > > so. we need to add some code to qmailadmin which, if the userid is > "postmaster" or has the domain-admin flag set (the existing > set_admin_type() function already checks this) it will look for an > environment variable called "QMAILADMIN_DENY_ADMIN", and if the > variable is present, give the user some kind of "access denied" message. > > looking at the existing code... hrmmm... that actually wasn't too bad, > only two places in the code needed to be changed. it compiles cleanly > (well, as cleanly as qmailadmin itself does) and it plays nicely with > the onchange.3 patch as well... it's installed and running on my own > server, i've tested it, and it works as expected. > > i'm not sure exactly where i want to put the patch file on my web > site- the "onchange" patch is documented with the vpopmail stuff > (since the original "onchange" patch is for vpopmail) but this is for > qmailadmin only... i'll probably start a qmailadmin page on the site, > but for now you can get the patch here: > > http://qmail.jms1.net/patches/qmailadmin-1.2.12-deny-admin.patch > > of course, the other side of the equation is to make apache set the > environment variable for all IP addresses EXCEPT the ones you trust. > this is the general idea: > > SetEnvIf Remote_Addr . QMAILADMIN_DENY_ADMIN > SetEnvIf Remote_Addr ^192\.168\.5\. !QMAILADMIN_DENY_ADMIN > SetEnvIf Remote_Addr ^207\.30\.xx\.xxx$ !QMAILADMIN_DENY_ADMIN > > these lines can be added to a .htaccess file in the directory > containing the qmailadmin executable. you don't need to restart apache > when creating or updating this file. > > the first line creates the QMAILADMIN_DENY_ADMIN variable, for every > connection. you might think you could use "SetEnv" for this, but it > doesn't work because SetEnv is processed after SetEnvIf, so anything > created by SetEnv will overwrite anything else. > > the second line removes the variable (thereby allowing postmaster > logins) if the client's IP starts with "192.168.5." ... this is > typical for a small home or office network, obviously adjust for your > own needs. > > the third line removes the variable for one specific IP address. this > might be for a system administrator with a static IP, for example. i > just added it in there to show how you can "trust" more than one IP or > block of IPs. > > enjoy. > > ---------------------------------------------------------------- > | John M. Simpson --- KG4ZOW --- Programmer At Large | > | http://www.jms1.net/ <[email protected]> | > ---------------------------------------------------------------- > | http://video.google.com/videoplay?docid=-1656880303867390173 | > ---------------------------------------------------------------- > > ________________________________________________________ Málta, az élő történelem szigete. Utazások akár hosszú hétvége keretében is! http://www.budavartours.hu/malta/?utm_campaign=origo&utm_source=freemail_kimeno_090316&utm_medium=ct&utm_content=5_napos_malta !DSPAM:49be245432681109178028!
