From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Fri, 1 May 2020 22:05:06 +0000 (+0200)
Subject: lmtp: lmtp-client - Base client trust on the real remote IP.
X-Git-Tag: 2.3.13~545
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2c9a0e54d6d66249a2d17750a12cd95f9a6f268c;p=thirdparty%2Fdovecot%2Fcore.git

lmtp: lmtp-client - Base client trust on the real remote IP.

LMTP uses real_remote_ip for checking the trust. This means:
 * LMTP proxy checks MTA's IP address
 * LMTP backend checks LMTP proxy's IP address
 * If haproxy is used in front of this LMTP server, the haproxy's IP address is
   checked. This may not be what is always wanted, but in LMTP backend it
   wouldn't be correct to check the original client IP (= MTA IP) either.
---

diff --git a/src/lmtp/lmtp-client.c b/src/lmtp/lmtp-client.c
index a0f09c5c2e..3b3f0ec6d9 100644
--- a/src/lmtp/lmtp-client.c
+++ b/src/lmtp/lmtp-client.c
@@ -395,7 +395,7 @@ static bool client_connection_is_trusted(void *context)
 			break;
 		}
 
-		if (net_is_in_network(&client->remote_ip, &net_ip, bits))
+		if (net_is_in_network(&client->real_remote_ip, &net_ip, bits))
 			return TRUE;
 	}
 	return FALSE;