[RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

A.L.E.C alec at alec.pl
Sun Feb 11 10:39:38 CET 2018


On 02/09/2018 09:28 PM, Jorge Bastos wrote:
> Well yes, but now i'm thinking, i have the imap server set to be dynamic
> it's filled with:
> 
> mail. + domain.tld
> 
> ok this option in Roundcube is grrreeeaaattt, but I think it makes people
> use my server for webmail! Damn!
> 
> How would I tell Roundcube, to connect just to my ip's?
> I could do this via iptables but is some shared hosting user wants to
> connect to any imap server he would be blocked

You have a few options to deal with this

default_host
username_domain
username_domain_forced
login_username_filter
trusted_host_patterns

How to use them will depend on what you want to achieve and your environment. You can
always create a plugin that checks the host before connecting to it.

-- 
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer         [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com


More information about the users mailing list