Il 28/12/2021 20:00, Andrew C Aitchison via mailop ha scritto:
On Tue, 28 Dec 2021, Jaroslaw Rafa via mailop wrote:Can't these restrictions be just moved from Dovecot/Postfix to Roundcubeitself? Roundcube definitely knows the value of the $_SERVER["REMOTE_ADDR"]variable and can make use of it...If a provider makes both IMAP and Roundcube access available, any restrictions implemented on Roundcube would need to be duplicated on the IMAP service.
I tend to agree with Andrew here. If I have IP-based policies set up for dovecot already, I'd like them to be applicable to IMAP login attempts coming from roundcube as well. (Policies as in collecting the data -- which IPs are making how many (failed) logins --, and deciding which of them to block -- brute-force and others.)
It is Roundcube that is actually connecting to Dovecot/Postfix andreceiving/sending mail, not the user's browser, so the connecting IP that Dovecot/Postfix gets is technically correct. No need to change it. On the other hand, user's browser is talking HTTP to Roundcube, and Roundcube knowsit's IP address, so Roundcube is the point where restrictions should be enforced, not Dovecot/Postfix.*If* I understand correctly, Roundcube allows a user to interact with multiple mail-boxes, in which case Roundcube may not be under control of the same organisation as the IMAP account.
Also a good point.In that case both organisations may have different policies, which seems fine. If I'm the one managing dovecot, I'd still like my security rules to be enforceable.
Nico
OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
