search

Arvedui / radicale-dovecot-auth

Radicale plugin for dovecot authentication
GNU General Public License v3.0
18 stars 10 forks source link

Passing the remote ip in auth request #10

Open Bangaio65 opened 4 years ago

Bangaio65 commented 4 years ago

Info: CentOS 7.8.2003 postfix 2.10.1 dovecot 2.2.36 radicale 3.0.3

I've been trying radicale in a test server, but I can't get the auth to work. After bashing my head for a while it dawned on me to enable on auth_debug in dovecot and finally realized why it doesn't work.

I have it setup so that only some users can connect outside of the local network (defined in /etc/dovecot/remote_users). If they're not found there then it tries pam, but the issue is that it needs the remote ip to work (allow_nets=127.0.0.0/8,192.168.1.0/24). Since radicale doesn't provide it, it fails.

Is there a way to pass the remote ip to dovecot?

dovecot log

auth: Debug: pam(test_user): allow_nets: Matching for network 127.0.0.0/8
auth: Debug: pam(test_user): allow_nets: Matching for network 192.168.1.0/24
auth: pam(test_user): allow_nets check failed: Remote IP not known and 'local' missing

dovecot config

passdb {
  driver = passwd-file
  args = username_format=%Ln /etc/dovecot/remote_users
}

passdb {
  driver = pam
  override_fields = allow_nets=127.0.0.0/8,192.168.1.0/24
  skip = authenticated
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
     mode = 0660
     user = postfix
     group = postfix
  }

 unix_listener auth-client {
    path = /var/run/radicale/auth
    mode = 0660
    user = radicale
    group = postfix
 }
}

radicale config

[auth]
type = radicale_dovecot_auth
auth_socket = /var/run/radicale/auth
Arvedui commented 4 years ago

I think it might be possible to communicate the IP to dovecot, but I think radicale does not expose that kind of information to auth plugins.

Bangaio65 commented 4 years ago

Ah that's too bad. I have switched to apache doing the authorization with mod_authnz_external and doveadm auth. Thanks for the reply.