PostfixAdmin & reCAPTCHA

No Comments

Dansk:

Rent brugermæssigt er postfixAdmin svær at komme udenom, hvis man har en mailserver opbygget omkring Postfix, som bruger virtuelle domæner i en database. postfixAdmin giver mulighed for selvbetjening, deriblandt nulstilling af kodeord og oprettelse af nye konti, så programmet er nødt til at være sikret, hvis mailserveren ikke skal misbruges.

I det følgende vil jeg derfor beskrive hvordan Googles reCAPTCHA kan integreres i login-vinduet.

English:

Seen from a user perspective, postfixAdmin can be hard to avoid having installed if one runs a Postfix mailserver, with virtual domains in a database. postfixAdmin gives users access to manage their own domains and mailboxes, including resetting of passwords and the making of new mailboxes. That means postfixAdmin needs to be fairly secure to avoid misuse of the mailserver.

In the following I will describe how to integrate reCAPTCHA into the login process.

Dækker / covers postfixAdmin version 2.3.6

Først og fremmest har man brug for en reCAPTCHA-konto hos Google, så de 2 nøgler kan hentes. Dernæst skal PHP-biblioteket recaptchalib.php hentes fra samme sted, og ligges i postfixAdmins dokument-rod. Så mangler der bare at blive tilføjet nogle linier i filerne /login.php og /templates/login.php. Tilføjede linier er markeret med et "+" i starten af linien..

First and foremost, a reCAPTCHA -account at Google is needed, so the 2 keys may be obtained. Then the PHP-library recaptchalib.php is needed from the same location, and needs to be put in postfixAdmins document root. Lastly some lines needs to be added to the files /login.php and /templates/login.php. Added lines are marked with a "+" at the beginning of the line.

require_once('common.php');
+require_once('recaptchalib.php');
 
+$publickey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
+$privatekey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
 
...
 
+    if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']);
+    if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
 
+  $response = recaptcha_check_answer($privatekey,
+                                     $_SERVER["REMOTE_ADDR"],
+                                     $_POST["recaptcha_challenge_field"],
+                                     $_POST["recaptcha_response_field"]);
 
+  if (!$response->is_valid) {
+    $error = 1;
+    $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
+  }
 
...

 

[html title="/templates/login.php" highlight="6,7-10"]
...
<tr>
<td><?php print $PALANG['pLogin_password'] . ":"; ?></td>
<td><input class="flat" type="password" name="fPassword" /></td>
</tr>
<tr>
<td colspan="2">
<?php echo recaptcha_get_html($publickey, $error); ?>
</td>
</tr>
...
[/html]

Edit
Hvis siden er krypteret, hvilket altid er en god idé omkring adgangskoder, så skifter reCAPTCHA ikke selv til kryptering. I funktionen recaptcha_get_html i /templates/login.php skal tilføjes $use_ssl så den samlede funktion ser sådan her ud:

If the page is encrypted, which it generally should be around access codes, then it's necessary to tell reCAPTCHA to use it. The function recaptcha_get_html in /templates/login.php needs the addition of $use_ssl, so it looks like this:

[html]
<?php echo recaptcha_get_html($publickey, $error, $use_ssl = true); ?>
[/html]

Afsluttende overvejelser
Ændringen gælder kun for dem som logger ind som administrator, hvilket stadig efterlader almindelige brugere. Eftersom jeg ikke har brug for at lade almindelige brugere logge ind, har jeg fjernet mappen /users og linket under loginvinduet, ved at fjerne linierne

[html title="/templates/login.php" highlight="true"]
<tr>
<td colspan="2"><a href="users/"><?php print $PALANG['pLogin_login_users']; ?></a></td>
</tr>
[/html]

Desuden er det måske værd at opdatere sprogfilen, linie 27, da fejlslagene forsøg på at logge ind kun dækker brugernavn og adgangskode.

Thoughts and conclusion
The change only covers folks logging in as administrator, and not common users. Since I don't need users to be able to log in, I've deleted the folder /users, and removed the link to user login by removing the lines

[html title="/templates/login.php" highlight="true"]
<tr>
<td colspan="2"><a href="users/"><?php print $PALANG['pLogin_login_users']; ?></a></td>
</tr>
[/html]

In addition it might be a good idea to update the language file, line 27, since login errors only covers username and password.

\\

Comments are closed for this post