Daniel L. Miller wrote:
>
>
> Timo Sirainen wrote:
>> On Mon, 2009-08-10 at 12:09 -0700, Daniel L. Miller wrote:
>>
>>> If at all possible, I would much rather see an error thrown than
>>> choosing which one to accept. To me, having Dovecot tolerate broken
>>> configurations is less desirable than giving clear feedback for the
>>> user to fix it. Anything from:
>>>
>>> "foo" is defined more than once
>>> overlapping ip declarations
>>> "remote_ip" declaration in protocol "imap" conflicts with "remote_ip"
>>> declaration in protocol "all"
>>>
>>
>> It's not necessarily a broken configuration. For example you could have:
>>
>> disable_plaintext_auth = yes # default also
>> remote_ip 192.168.0.0/16 {
>> # allow plaintext auth from intranet
>> disable_plaintext_auth = no
>> }
>>
>> That's an ok configuration, right? But then again, maybe one of those
>> IPs is a proxy to outside world and you don't want plaintext auth from
>> there:
>>
>> remote_ip 192.168.123.44 {
>> disable_plaintext_auth = yes
>> }
>>
>> But I guess if there truly are some conflicts it could warn about
>> them .. although that might be more work than it's worth. :)
>>
> Well - if those are not broken configs, then I guess I misunderstood the
> question. I would expect the most restrictive test to govern, so:
>
> remote_ip 192.168.0.0/16 {
> # allow plaintext auth from intranet
> disable_plaintext_auth = no
> }
>
> remote_ip 192.168.10.0/8 {
> # allow plaintext auth from intranet
> disable_plaintext_auth = yes
> }
>
> remote_ip 192.168.0.1 {
> # allow plaintext auth from intranet
> disable_plaintext_auth = no
> }
>
> connecting from 192.168.0.1 should result in disable_plaintext_auth = no.
>
I agree - however, it makes the config harder to read, and you pretty
much need something like "dovecotctl -acl -dump" or an equivalent to
netstat -r or iptables -L to display them in the correct order if the
ruleset becomes complex. By using a first-match wins syntax, you make
the actual config file much simpler to read, as it maps to the running
process.
kind regards,
Felix
--
Felix Schüren
Head of Network
-----------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - 51149 Köln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*)
HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678
Geschäftsführer:
Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller
(*) 0,14 EUR/Min. aus dem dt. Festnetz, Mobilfunkpreise ggf. abweichend
