[Dovecot] Different classes of user
John Robinson
john.robinson at anonymous.org.uk
Sat Feb 10 03:01:12 UTC 2007
Hello list! Only recently joined, please excuse me if this is a stupid
question.
I'd like to have 2 classes of user: those with shell accounts, and those
without. They'll all have "real" accounts, for which the password can be
checked with PAM. I've set up SSL too. What I want to arrange is for
users with shell accounts not to be succeed in logging in to Dovecot
without using TLS/SSL. I'll have to allow unencrypted logins (for
non-shell users), but I want to reject/refuse such a login from someone
with a shell account.
I've already made my exim do this, with the following logic in my
authenticator there:
if (pam auth ok) and
((tls) or (user's shell not listed in /etc/shells))
I haven't worked out how to make Dovecot do this, yet. So far I just
tried using * as the PAM service name, in the hope that not only would
pop3 or imap get passed through, but pop3s and imaps might, and I had a
line in my /etc/pam.d/imap and pop like this:
auth required pam_succeed_if.so debug shell notin /bin/bash:/bin/sh
which worked, but unfortunately also got used for imapS logins. Then I
realised this was likely to be the wrong thing anyway, because it would
presumably only cover IMAPS on port 993, and not IMAP+TLS on the usual
port 143.
So I've had a go but got it wrong. What should I do to get it right?
Cheers,
John.
More information about the dovecot
mailing list