Re: Re: [qmailadmin] limit Postmaster account
Thanks John! I will try to modify the source code of Qmailadmin. Kis Peter John Simpson j...@jms1.net írta: On 2009-03-12, at 1004, Rick Widmer wrote: Kis Peter wrote: Hi! Is there a way to limit Postmaster account in QmailAdmin to only being able to login from a specific IP address? http://httpd.apache.org/docs/1.3/mod/mod_access.html http://httpd.apache.org/docs/1.3/sections.html qmailadmin doesn't use HTTP-Authenticate headers to authenticate. the userid, domain, and password are submitted as POST query fields, and POST data is not visible in any way which can be tested within a config file (be it httpd.conf or a .htaccess file.) so the answer to his question is no. at least not without modifying the source code. and after thinking about it for a few minutes, and looking at the code, it turns out a patch to make this possible is actually fairly easy. apache's SetEnvIf directive can set environment variables based on several criteria, one of which is the client's IP address. qmailadmin can search for a variable to tell whether to allow domain admin logins or not... and in order to not break anybody's existing qmailadmin install, if the variable doesn't exist, it will allow domain admin logins (as it currently does.) so the variable needs to be a DENY variable. so. we need to add some code to qmailadmin which, if the userid is postmaster or has the domain-admin flag set (the existing set_admin_type() function already checks this) it will look for an environment variable called QMAILADMIN_DENY_ADMIN, and if the variable is present, give the user some kind of access denied message. looking at the existing code... hrmmm... that actually wasn't too bad, only two places in the code needed to be changed. it compiles cleanly (well, as cleanly as qmailadmin itself does) and it plays nicely with the onchange.3 patch as well... it's installed and running on my own server, i've tested it, and it works as expected. i'm not sure exactly where i want to put the patch file on my web site- the onchange patch is documented with the vpopmail stuff (since the original onchange patch is for vpopmail) but this is for qmailadmin only... i'll probably start a qmailadmin page on the site, but for now you can get the patch here: http://qmail.jms1.net/patches/qmailadmin-1.2.12-deny-admin.patch of course, the other side of the equation is to make apache set the environment variable for all IP addresses EXCEPT the ones you trust. this is the general idea: SetEnvIf Remote_Addr .QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^192\.168\.5\. !QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^207\.30\.xx\.xxx$ !QMAILADMIN_DENY_ADMIN these lines can be added to a .htaccess file in the directory containing the qmailadmin executable. you don't need to restart apache when creating or updating this file. the first line creates the QMAILADMIN_DENY_ADMIN variable, for every connection. you might think you could use SetEnv for this, but it doesn't work because SetEnv is processed after SetEnvIf, so anything created by SetEnv will overwrite anything else. the second line removes the variable (thereby allowing postmaster logins) if the client's IP starts with 192.168.5. ... this is typical for a small home or office network, obviously adjust for your own needs. the third line removes the variable for one specific IP address. this might be for a system administrator with a static IP, for example. i just added it in there to show how you can trust more than one IP or block of IPs. enjoy. | John M. Simpson--- KG4ZOW ---Programmer At Large | | http://www.jms1.net/ j...@jms1.net | | http://video.google.com/videoplay?docid=-1656880303867390173 | Málta, az élő történelem szigete. Utazások akár hosszú hétvége keretében is! http://www.budavartours.hu/malta/?utm_campaign=origoutm_source=freemail_kimeno_090316utm_medium=ctutm_content=5_napos_malta !DSPAM:49be245432681109178028!
Re: Re: [qmailadmin] limit Postmaster account
Hi Peter, You don't have to. He has just provided a patch. Just apply it against the src. Üdv :) Peter Lendvai On Mon, 16 Mar 2009 10:58:31 +0100 (CET), Kis Peter kispeter1...@freemail.hu wrote: Thanks John! I will try to modify the source code of Qmailadmin. Kis Peter John Simpson j...@jms1.net írta: i'll probably start a qmailadmin page on the site, but for now you can get the patch here: http://qmail.jms1.net/patches/qmailadmin-1.2.12-deny-admin.patch of course, the other side of the equation is to make apache set the environment variable for all IP addresses EXCEPT the ones you trust. this is the general idea: SetEnvIf Remote_Addr .QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^192\.168\.5\. !QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^207\.30\.xx\.xxx$ !QMAILADMIN_DENY_ADMIN these lines can be added to a .htaccess file in the directory containing the qmailadmin executable. you don't need to restart apache when creating or updating this file. !DSPAM:49be264032681808974364!
Re: [qmailadmin] limit Postmaster account
On 2009-03-12, at 1004, Rick Widmer wrote: Kis Peter wrote: Hi! Is there a way to limit Postmaster account in QmailAdmin to only being able to login from a specific IP address? http://httpd.apache.org/docs/1.3/mod/mod_access.html http://httpd.apache.org/docs/1.3/sections.html qmailadmin doesn't use HTTP-Authenticate headers to authenticate. the userid, domain, and password are submitted as POST query fields, and POST data is not visible in any way which can be tested within a config file (be it httpd.conf or a .htaccess file.) so the answer to his question is no. at least not without modifying the source code. and after thinking about it for a few minutes, and looking at the code, it turns out a patch to make this possible is actually fairly easy. apache's SetEnvIf directive can set environment variables based on several criteria, one of which is the client's IP address. qmailadmin can search for a variable to tell whether to allow domain admin logins or not... and in order to not break anybody's existing qmailadmin install, if the variable doesn't exist, it will allow domain admin logins (as it currently does.) so the variable needs to be a DENY variable. so. we need to add some code to qmailadmin which, if the userid is postmaster or has the domain-admin flag set (the existing set_admin_type() function already checks this) it will look for an environment variable called QMAILADMIN_DENY_ADMIN, and if the variable is present, give the user some kind of access denied message. looking at the existing code... hrmmm... that actually wasn't too bad, only two places in the code needed to be changed. it compiles cleanly (well, as cleanly as qmailadmin itself does) and it plays nicely with the onchange.3 patch as well... it's installed and running on my own server, i've tested it, and it works as expected. i'm not sure exactly where i want to put the patch file on my web site- the onchange patch is documented with the vpopmail stuff (since the original onchange patch is for vpopmail) but this is for qmailadmin only... i'll probably start a qmailadmin page on the site, but for now you can get the patch here: http://qmail.jms1.net/patches/qmailadmin-1.2.12-deny-admin.patch of course, the other side of the equation is to make apache set the environment variable for all IP addresses EXCEPT the ones you trust. this is the general idea: SetEnvIf Remote_Addr .QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^192\.168\.5\. !QMAILADMIN_DENY_ADMIN SetEnvIf Remote_Addr ^207\.30\.xx\.xxx$ !QMAILADMIN_DENY_ADMIN these lines can be added to a .htaccess file in the directory containing the qmailadmin executable. you don't need to restart apache when creating or updating this file. the first line creates the QMAILADMIN_DENY_ADMIN variable, for every connection. you might think you could use SetEnv for this, but it doesn't work because SetEnv is processed after SetEnvIf, so anything created by SetEnv will overwrite anything else. the second line removes the variable (thereby allowing postmaster logins) if the client's IP starts with 192.168.5. ... this is typical for a small home or office network, obviously adjust for your own needs. the third line removes the variable for one specific IP address. this might be for a system administrator with a static IP, for example. i just added it in there to show how you can trust more than one IP or block of IPs. enjoy. | John M. Simpson--- KG4ZOW ---Programmer At Large | | http://www.jms1.net/ j...@jms1.net | | http://video.google.com/videoplay?docid=-1656880303867390173 | PGP.sig Description: This is a digitally signed message part !DSPAM:49ba5a0632688014452308!
[qmailadmin] limit Postmaster account
Hi! Is there a way to limit Postmaster account in QmailAdmin to only being able to login from a specific IP address? Thanks! kispe...@freemail.hu brbrbra href=http://ad.hu.doubleclick.net/clk;212393869;33771830;o?http://duplanet.t-mobile.hu; Duplázd meg a netet, és rendelj otthoni előfizetésed mellé mobilinternetet, Duplanet-kedvezménnyel! /a !DSPAM:49b8c2e532686250214038!
Re: [qmailadmin] limit Postmaster account
Kis Peter wrote: Hi! Is there a way to limit Postmaster account in QmailAdmin to only being able to login from a specific IP address? http://httpd.apache.org/docs/1.3/mod/mod_access.html http://httpd.apache.org/docs/1.3/sections.html !DSPAM:49b9165932681573913680!