USARE IL PLUGIN ip_restrict:

• Plugins - User Restriction by IP

E' possibile limitare l'uso di Squirrelmail 1.2.x a degli utenti elencati, specificando per ognuno la classe di ip da cui possono accedere.

(Procedura testata su Debian Sarge)

Il Plugin originale permette di specificare un solo IP di provenienza per gli utenti, e non una classe di IP.

Homepage: http://www.squirrelmail.org/plugin_view.php?id=106

Prelevare il plugin ip_users e installarlo:

cd /files/src
wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fip_users.1.1-1.2.x.tar.gz 
cd /usr/share/squirrelmail/plugins/
tar xvzf /files/src/ip_users.1.1-1.2.x.tar.gz

Installare la versione modificata del plugin sovrascrivendo il file con questo:

/usr/share/squirrelmail/plugins/ip_users/setup.php

<?php
/* Version 1.2 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
   }
}
?>

Scriptlet:

cat > setup.php <<'EOFile'
<?php
/* Version 1.2 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      error_username_password_incorrect();
      exit;
   }
}
?>
EOFile

Installare la versione modificata del plugin sovrascrivendo il file con questo:

/usr/share/squirrelmail/plugins/ip_users/setup.php

<?php
/* Version 1.3 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
   }
}
?>

Scriptlet:

cat > setup.php <<'EOFile'
<?php
/* Version 1.3 */

function squirrelmail_plugin_init_ip_users() {
   global $squirrelmail_plugin_hooks;
   global $login_username;

   $squirrelmail_plugin_hooks['login_verified']['ip_users'] = 'plugin_ip_users_login_verified';
}

function plugin_ip_users_login_verified() {

function IP_Match($network, $ip) {
   $ip_arr = explode("/",$network);
   $network_long=ip2long($ip_arr[0]);

   $mask_long= pow(2,32)-pow(2,(32-$ip_arr[1]));
   $ip_long=ip2long($ip);

   if (($ip_long & $mask_long) == $network_long) {
       return 1;
   } else {
       return 0;
   }
}

   global $squirrelmail_plugin_hooks;
   global $login_username;

   $valid_user=0;
   $file = fopen("../config/ip_users.php","r");
   for ($i=0; !feof($file); $i++) {
      $tmp = fgets($file, 1024);
      if (substr($tmp, 0, strpos($tmp, "|")) == "$login_username") {
         $valid_user=1;
         $rete=substr($tmp, strpos($tmp, "|")+1);
         $indirizzo=getenv("REMOTE_ADDR");
         if (IP_Match($rete,$indirizzo)) {
               $valid_user++;
         }
      }
   }
   fclose($file);
   if($valid_user!=2) {
      echo "<html><body bgcolor=\"ffffff\">\n";
        //      printf("Network:%s Address:%s\n<br>",$rete, $indirizzo);
        //      print("Network: $rete -  Address: $indirizzo \n<br>");
      logout_error( _("Unknown user or password incorrect.") );
      exit;
   }
}
?>
EOFile

Lanciare il programma di configurazione di Squirrelmail con:

/etc/squirrelmail/conf.pl

Attivare il plugin dal menù "Plugin"

Creare il file:

/usr/share/squirrelmail/config/ip_users.php

<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>

Scriptlet:

cat > /usr/share/squirrelmail/config/ip_users.php <<'EOFile'
<? /*
obinda|0.0.0.0/0
bbaldassarre|192.169.22.0/24
cdilitta|192.169.22.0/24
*/ ?>
EOFile

ovvero:

username_che_può_accedere|netmask_di_accesso_consentita

0.0.0.0/0 da dovunque
a.b.c.d/24 da un lan
a.b.c.d/32 da un ip soltanto

Se un utente O non è listato in questo file O non si collega da una rete consentita, viene visualizzato un errore di login.

Il Plugin originale che funziona solo da un ip: http://www.squirrelmail.org/plugin_view.php?id=106

I have an application where I want to track the remote address, and if that's not available, then the local address. (Sometimes it's over a network, and sometimes over the internet, and for security, some features should only be run over the local network.) I added some checking that should be redundant to get around a few weird situations I encountered, where addresses were set, but empty.

 <?php
 $private_net_ip_masks = array( '10.0.0.', '192.168.', '127.0.0.', '172.16.0.' );
 if( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '' )
 {
    $ipStrings = explode( ',',$_SERVER['HTTP_X_FORWARDED_FOR']);
    foreach($ipStrings as $k => $v)
    {
        if( empty($v) )
        {
            unset( $ipStrings[$k] );
        }
        else
        { // set the first one we find as the default.  Little dirty, but it works.
            if(!isset($ipString)) $ipString = $v;
        }
    }
 }
 if( isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '' )
 {
    $ipStrings[] = $_SERVER['REMOTE_ADDR'];
    if(!isset($ipString)) $ipString = $_SERVER['REMOTE_ADDR'];
 }
 foreach($ipStrings as $k1 => $ip)
 {
    foreach($private_net_ip_masks as $k2 => $pip)
    {
        if(strpos($ip, $pip) === 0)
        { // local ip
            unset($ipStrings[$k1]);
            break;
        }
    }
 }
 if( !empty($ipStrings) )
 {
    foreach( $ipStrings as $v )
    {
        if(!empty($v))
        {
            $ipString = $v;
            $is_local_ip = false;
            break;
        }
    }
 }
 else
 {
    $is_local_ip = true;
 }
 $ipArray = explode('.', $ipString);

 // Spit out the results
 foreach($ipStrings as $k => $v) echo '$ipStrings['.$k.'] = ' . $v . '<br />';
 echo "\$ipString = $ipString<br />";
 foreach($ipArray as $k => $v) echo '$ipArray['.$k.'] = ' . $v . '<br />';
 ?>