Author Topic: identities with wrong domains  (Read 3968 times)

Offline boxyball

  • Full Member
  • ***
  • Posts: 90
identities with wrong domains
« on: March 01, 2016, 03:52:36 PM »
Is there a way to stop users from logging into roundcube with wrong domains?
I've noticed that users can log in using any domain they want as long as the username is correct.
So, user can log in as user@domain.com, user@gmail.com, user@yahoo.com and all will work, and all will create separate identities, and RC will even send mail as the wrong domain.
What is the recommended solution to this?  Restrict login domains ? Force username only logins ?
Thanks in advance.


Offline boxyball

  • Full Member
  • ***
  • Posts: 90
Re: identities with wrong domains
« Reply #1 on: March 03, 2016, 11:30:46 AM »
Anyone?
I could sure use help on this one.
I had a user accidently log in and send as user@gmail.com the other day.
Those emails likely were rejected by the receiver due to SPF errors; or if they were delivered there would be confusion and reply problems.
Thanks in advance.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,600
    • http://SKaero.com/
Re: identities with wrong domains
« Reply #2 on: March 03, 2016, 08:36:26 PM »
So your mail server only authenticates the user part?

Offline boxyball

  • Full Member
  • ***
  • Posts: 90
Re: identities with wrong domains
« Reply #3 on: March 03, 2016, 10:29:31 PM »
Right.  The users are system users.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,600
    • http://SKaero.com/
Re: identities with wrong domains
« Reply #4 on: March 04, 2016, 02:41:53 AM »
Well I don't know of a setting that would do that but you should be able to do it with a simple plugin. Here is a un-tested example of what the plugin should do:
Code: [Select]
<?php
/**
 * Strip the domain from the username
 *
 * @license GNU GPLv3+
 */
class removedomain extends rcube_plugin
{
  public 
$task 'login';

  function 
init()
  {
    
$this->add_hook('authenticate', array($this'authenticate'));
  }

  function 
authenticate($args)
  {
    if (
strpos($args['user'], '@') !== false) {
      list(
$user$domain) = explode('@'$args['user'], 2);
      
$args['user'] = $user;
    }

    return 
$args;
  }

}

Offline alec

  • Hero Member
  • *****
  • Posts: 1,178
Re: identities with wrong domains
« Reply #5 on: March 04, 2016, 03:22:56 AM »
I think this can be done with one or combination of username_domain, username_domain_forced or login_username_filter. That's for log in. You have to take care about SMTP, by configuring the server correctly or not allowing creation of identities with external addresses, see identities_level option.

Offline boxyball

  • Full Member
  • ***
  • Posts: 90
Re: identities with wrong domains
« Reply #6 on: March 04, 2016, 10:22:52 AM »
It looks like login_username_filter might do the trick but it is no longer included in defaults.  Also, I found some other useful settings below that are no longer in defaults.  Are they still supported and if so, are they being dropped?  They look very necessary.

// Maximum length (in bytes) of logon username and password.
$config['login_username_maxlen'] = 1024;
$config['login_password_maxlen'] = 1024;

// Logon username filter. Regular expression for use with preg_match().
// Example: '/^[a-z0-9_@.-]+$/'
$config['login_username_filter'] = null;

// Brute-force attacks prevention.
// The value specifies maximum number of failed logon attempts per minute.
$config['login_rate_limit'] = 3;
« Last Edit: March 04, 2016, 11:30:32 AM by boxyball »

Offline alec

  • Hero Member
  • *****
  • Posts: 1,178
Re: identities with wrong domains
« Reply #7 on: March 04, 2016, 12:39:08 PM »
They are new in Roundcube 1.2 indeed, I forgot.

Offline boxyball

  • Full Member
  • ***
  • Posts: 90
Re: identities with wrong domains
« Reply #8 on: March 04, 2016, 04:56:09 PM »
so if I wait for 1.2 ... then will login_username_filter do the same thing that the plugin skaero mentioned?

Offline boxyball

  • Full Member
  • ***
  • Posts: 90
Re: identities with wrong domains
« Reply #9 on: March 07, 2016, 04:26:09 PM »
will the login_username_filter allow me to restrict user to username only without the domain?

Offline alec

  • Hero Member
  • *****
  • Posts: 1,178
Re: identities with wrong domains
« Reply #10 on: March 08, 2016, 02:29:40 AM »
Yes.

Offline boxyball

  • Full Member
  • ***
  • Posts: 90
Re: identities with wrong domains
« Reply #11 on: March 16, 2016, 05:58:59 PM »
SKaero,

I'm going to try your plugin instead of waiting for version 1.2.
When I go to https://plugins.roundcube.net/ and click on the SHORT INTRODUCTION link top-right I get a bunch of errors.
So, I think trac.roundcube.net is down.
Please share how I would install your suggested plugin as I have never created a plugin.  Do I have to submit it?  Or can it just be for me only.
If I don't have to go public with it, I imagine the install would be simple placement of a directory and file in the plugins directory and setting the config pointer.

Thanks in advance.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,600
    • http://SKaero.com/
Re: identities with wrong domains
« Reply #12 on: March 16, 2016, 06:16:34 PM »
The trac is being migrated to Github so I'm guessing that is why its down. You can you use the plugin without submitting it, just create a folder named "removedomain" in the plugins folder, then create a file named "removedomain.php" in that folder with what I posted before, then add "removedomain" to the plugins array in the config.inc.php.

Offline boxyball

  • Full Member
  • ***
  • Posts: 90
Re: identities with wrong domains
« Reply #13 on: March 17, 2016, 01:24:45 PM »
Thanks!  That worked perfectly!