Hi Nicolas,
The problem isn't 'technical', but rather political. There are those
out there that believe by including the originating IP Address, you are
exposing PPI (Private Personal Information) by including the IP Address.
Of course, I personally think this is baloney, as the email operator can
simply tell customers that this information will be disclosed, as part
of the terms of service. By including the IP Address, you add
transparency, security and safety to the communication.
But it should be easier and claerer for email operators to choose
whether to include that information, on all web mail platforms.
Possibly on install, it should ask the email operator for their
position, and 'maybe' warning them they should indicate that occurs on
their terms of service. But of course, most operators don't indicate
that for instance the customers real name might be exposed under certain
circumstances.
The world has gone far too anal in it's approach to privacy, at the
expense of security, IMHO.
For us, the security value of passing the originating IP to the Dovecot
or SMTP layers for auth restrictions is paramount, as well as other
details on the originating sender. (Country AUTH restrictions, OS
Detection, and many more)
Suggest that you make a RoundCube enhancement with the packagers that
the option be configured more easy on install. The secondary issue, is
to standardize how web mail would pass that information to the mail
server, so you are not dealing with many different methods. And
thirdly, in case of 'proxies' to the actual mailservers, how to pass
that information through the proxy as well.
IMHO.
On 2021-12-28 5:55 a.m., Nicolas JEAN via mailop wrote:
Hi everyone,
I'd like to gather some thoughts on the following issue.
*Problem*
By default, roundcube login attempts (imap, smtp) are forwarded to
dovecot/postfix without the original client IP that makes the request
(possibly true of other webmail software).
This can't benefit from IP-based policies such as dovecot's auth policy
<https://doc.dovecot.org/configuration_manual/authentication/auth_policy/>:
dovecot/postfix are always going to see localhost, internal reverse
proxy's, or roundcube's IP address.
*Possible future solution*
There is a long-standing open issue
<https://github.com/roundcube/roundcubemail/issues/5334> at roundcube to
add /proxy protocol/ support.
This would make dovecot and postfix aware of requesting client IPs.
Unfortunately, it doesn't seem like it's going to be merged soon.
*Alternative*
There is a existing roundcube plugin
<https://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip> that
adds client IPs to IMAP login attempts made to dovecot (which I've
patched
<https://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip/-/merge_requests/1>
yesterday to send client IP on first IMAP login too).
I've also asked
<https://github.com/roundcube/roundcubemail/issues/5334#issuecomment-1001530775>
the roundcube community whether this would suffice; that is, if
roundcube doesn't have an /unauthenticated/ endpoint for making SMTP
login attemps (thus blocking IPs for IMAP could be enough).
*Ideas welcome*
Do you use webmails; if so, is this an issue for you as well?
Did you find a way to fix or work around it?
Do you feel like I'm on the right path here, or lost in a dangerous
spacetime?
Thanks a lot in advance,
Nico
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
