On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and update the ip_addr table as needed so I think this is a satisfactory solution for IP authentication.
Is there a mechanism to identify all originating servers for a hostname/domain? If the answer is no (and AFAIK is it) then this solution doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But this ins't an answer for subaccounts on trunks (unles you can get the sender to actually use different ports). 3 is the whitelist for ip adresses on record. I abandoned this due to to much problems with trunks, they just have to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to use tls with certificate verification (good luck getting the trunks to implement this :)
route[AUTHENTICATE] { if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") && $proto=="tcp") { if(!avp_db_query("select username from usr_preferences where attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value like '$si:%') order by length(value) limit 1")) { xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n"); sl_send_reply("403", "Not Allowed by AUTHENTICATE ACL"); exit; }
$avp(au)=$avp(i:1); } else { $var(authenticated)=www_authenticate("$td", "subscriber");
if (!www_authenticate("$td", "subscriber")) { xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP: $si:$sp)\n"); www_challenge("$td", "1"); exit; }
$avp(au)=$au;
consume_credentials(); }