On Tue, 17 Mar 2020, Mike Tubby via Exim-users wrote:
> The PHP back-end accepts a POST on a URI with form data that contains:
>
> * email address
> * password
> * remote IP address
>
> the back-end considers:
>
> a) the username/password pair - for authentication
> b) the GEOIP of the remote IP address - for authorization
>
> in the virtual mailbox/virtual user database, plus the remote IP in a local
> copy of the DBIP GeoIP database and returns a HTTP response code:
>
> * 204 On success (no data)
> * 403 Forbidden (for authentication failure or GEOIP authorization fail)
> * 400 Bad Request (for non supported methods or incomplete form data)
>
> and logs the username (email address) and remote IP address along with
> authentication success/fail and GEOIP policy success/fail and country code to
> a 'connection_log' table in MySQL.
If/when a legitimate user goes to a GEOIP restricted location
(OK that isn't likely while covid-19 ...) they will send their password
before being told to go away.
Is there a reason you cannot do the GeoIP block at connection time,
or at least before the password prompt ?
--
Andrew C. Aitchison Kendal, UK
andrew@???
