Am 07.11.2014 um 13:30 schrieb Cor Bosman:
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets are you 100% sure that it don't use that information or will not do so in later releases?
That's not the dovecot option that applies here
i know that!
but can you assure that the forwarded IP will not be used in a future release (maybe optional) in that context too or in some 3rd party module?
the point is simple: don't forward possible untrusted input if you have a trustable source too because you can't know the implications on other parts of the mail stack
security is a complex topic
did you know that $_SERVER['PHP_SELF'] is vulnerable for XSS until you set "AcceptPathInfo Off" in your Apache config which maybe breaks other applications? i did not until a security audit showed a red flag! http://stackoverflow.com/questions/6080022/php-self-and-xss