Am 07.11.2014 um 13:08 schrieb Cor Bosman:
Am 07.11.2014 um 12:51 schrieb Cor Bosman:
On 07 Nov 2014, at 12:44, Reindl Harald h.reindl@thelounge.net wrote:
Dovecot doesnt. All dovecot does with that information is log the x-forwarded-ip
and than on the server runs "fail2ban" enforcing blocking based on that log - congratulations
That still doesnt compromise your security, but I see your point. A DOS possibility, even a remote possibiity, is annoying.
if you ever have a security audit on your infrastructure you will see that you get a red flag for *any* known DOS possibility and if the audit was given in order by a customer that means you have 24 hours to fix that issue or shutdown the server - been there or better said we are there every week (currently only for webservers but that may change from one day to the next)
the point is not only the DOS - but that's one example where i needed only to think 5 seconds after "it's just used for logging" - there are people out there with a lot of time thinking how they can abuse IT systems
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets are you 100% sure that it don't use that information or will not do so in later releases?
the idea behind "mod_remoteip" is that you can *trust* $_SERVER['REMITE_ADDR'] to contain the clients IP behind a proxy and hence Allow from / Deny from in Apache is using also that information hence it is trustable in a correct setup
I'll revert my plugin back to $_SERVER, and i'll leave it up to rc devs what to do with the rcube_utils function
thank you!