vpopmail: Added webmail=ip parameter. Use it for checking imap/webmail access.

--HG--
branch : HEAD

diff --git a/src/auth/passdb-vpopmail.c b/src/auth/passdb-vpopmail.c
index 36f4b0036a2aa03dd802d6517e5eae8a1c867f29..47ed4a80bc6b9966a8d292f15c5240ff681c8981 100644 (file)
--- a/src/auth/passdb-vpopmail.c
+++ b/src/auth/passdb-vpopmail.c
@@ -9,6 +9,7 @@
 #include "safe-memset.h"
 #include "passdb.h"
 #include "password-scheme.h"
+#include "auth-cache.h"
 
 #include "userdb-vpopmail.h"
 
@@ -16,6 +17,38 @@
 
 #define VPOPMAIL_DEFAULT_PASS_SCHEME "CRYPT"
 
+struct vpopmail_passdb_module {
+       struct passdb_module module;
+
+       struct ip_addr webmail_ip;
+};
+
+static bool vpopmail_is_disabled(struct auth_request *request,
+                                const struct vqpasswd *vpw)
+{
+        struct passdb_module *_module = request->passdb->passdb;
+       struct vpopmail_passdb_module *module =
+               (struct vpopmail_passdb_module *)_module;
+
+       if (strcmp(request->service, "IMAP") == 0) {
+               if ((vpw->pw_gid & NO_IMAP) != 0) {
+                       /* IMAP from webmail IP may still be allowed */
+                       if (!net_ip_compare(&module->webmail_ip,
+                                           &request->remote_ip))
+                               return TRUE;
+               }
+               if ((vpw->pw_gid & NO_WEBMAIL) != 0) {
+                       if (net_ip_compare(&module->webmail_ip,
+                                          &request->remote_ip))
+                               return TRUE;
+               }
+       }
+       if ((vpw->pw_gid & NO_POP) != 0 &&
+           strcmp(request->service, "POP3") == 0)
+               return TRUE;
+       return FALSE;
+}
+
 static char *
 vpopmail_password_lookup(struct auth_request *auth_request, bool cleartext,
                         enum passdb_result *result_r)
@@ -30,10 +63,7 @@ vpopmail_password_lookup(struct auth_request *auth_request, bool cleartext,
                return NULL;
        }
 
-       if (((vpw->pw_gid & NO_IMAP) != 0 &&
-            strcmp(auth_request->service, "IMAP") == 0) ||
-           ((vpw->pw_gid & NO_POP) != 0 &&
-            strcmp(auth_request->service, "POP3") == 0)) {
+       if (vpopmail_is_disabled(auth_request, vpw)) {
                auth_request_log_info(auth_request, "vpopmail",
                                      "%s disabled", auth_request->service);
                password = NULL;
@@ -125,17 +155,27 @@ vpopmail_verify_plain(struct auth_request *request, const char *password,
 static struct passdb_module *
 vpopmail_preinit(struct auth_passdb *auth_passdb, const char *args)
 {
-       struct passdb_module *module;
-
-       module = p_new(auth_passdb->auth->pool, struct passdb_module, 1);
-       module->default_pass_scheme = VPOPMAIL_DEFAULT_PASS_SCHEME;
-
-       if (strncmp(args, "cache_key=", 10) == 0) {
-               module->cache_key =
-                       auth_cache_parse_key(auth_passdb->auth->pool,
-                                            args + 10);
+       struct vpopmail_passdb_module *module;
+       const char *const *tmp;
+
+       module = p_new(auth_passdb->auth->pool,
+                      struct vpopmail_passdb_module, 1);
+       module->module.default_pass_scheme = VPOPMAIL_DEFAULT_PASS_SCHEME;
+
+       tmp = t_strsplit_spaces(args, " ");
+       for (; *tmp != NULL; tmp++) {
+               if (strncmp(*tmp, "cache_key=", 10) == 0) {
+                       module->module.cache_key =
+                               auth_cache_parse_key(auth_passdb->auth->pool,
+                                                    *tmp + 10);
+               } else if (strncmp(*tmp, "webmail=", 8) == 0) {
+                       if (net_addr2ip(*tmp + 8, &module->webmail_ip) < 0)
+                               i_fatal("vpopmail: Invalid webmail IP address");
+               } else {
+                       i_fatal("vpopmail: Unknown setting: %s", *tmp);
+               }
        }
-       return module;
+       return &module->module;
 }
 
 static void vpopmail_deinit(struct passdb_module *module ATTR_UNUSED)