[Dovecot] imap and vpopmail: per-domain auth

Alessio Cecchi alessio at skye.it
Tue Jul 8 14:03:23 EEST 2008 

Il Monday 07 July 2008 17:31:00 Francesco Abeni ha scritto:
> Hi, i have qmail + vpopmail + dovecot + squirrelmail 0.99.14 on Fedora
> Core 4. Qmail includes its own pop3 server, and everybody is able to
> access it from outside. Dovecot is used only locally by SquirrelMail -
> so everybody can access via webmail.
>
> I'd like to make imap directly available from outside, but only for a
> few selected domains (NOT ip addresses!), while leaving everyone able to
> access with pop3 and/or via webmail.
>
> I don't know if this is possible, and if it is, i don't even know where
> to start. Is it a vpopmail or dovecot setting?
>
> Thank you for any suggestion and/or pointer to the right documentation.

Hi Francesco,

yes it is theoretically possible, but due to some problems this feature of 
vpopmail is not fully compatible with dovecot.

vpopmail via ~vpopmail/bin/vmoduser can set some limit to single users, 
example disble pop3, disable imap, disable imap except for webmail, etc ...

Dovect should move to vpopmail some parameters of the user who logged, as his 
address and local port connection,   but unfortunately these parameters are 
not passed, or at least not be passed as would expect to receive vpopmail,   
in particular for the connections made via imap from remote clients.

vpopmail is able to distinguish and restrict connections to users but to do so 
must be able to know where it comes from their connection, there are 3 main 
classifications that vpopmail knows: 
 
 POP3 
 webmail (imap from localhost) 
 IMAP

From log you can identify these connections:

POP3:
Jul  8 12:36:41 mail-server vpopmail[11560]: vchkpw-pop3: (PLAIN) login 
success joe at domain.it:98.52.67.8

Webmail:
Jul  8 12:36:32 maill-server vpopmail[11456]: vchkpw-webmail: (PLAIN) login 
success pippo at domain.it:127.0.0.1

IMAP:
Jul  8 12:37:45 mail-server vpopmail[11984]: vchkpw-imap: (PLAIN) login 
success alessiotest at domain.it:217.127.131.153

But with dovecot when you log-in from IMAP client (like thunderbird) in the 
log you can see:

Jul  8 12:37:45 mail-server vpopmail[11984]: vchkpw-0: .... [note the 0]

Investigating I discovered that this depends on whether dovecot vpopmail not 
go to the parameters that it expects to receive.

Reading the source vchkpw.c, from the vpopmail package, we understand very 
well how everything works:

See it from line 98 to line 195
http://vpopmail.cvs.sourceforge.net/vpopmail/vpopmail/vchkpw.c?view=markup

an extract:

   98 #define POP_CONN  0
   99 #define SMTP_CONN 1
  100 #define IMAP_CONN 2
  101 #define WEBMAIL_CONN 3
  102 
  103 /* POP/IMAP connections from the following IPs will be classified as
  104  * "web mail" instead of POP/IMAP.  On single-server networks, this
  105  * will typically be just 'localhost'.  For clusters, add the IP
  106  * addresses of all webmail servers.
  107  */
  108 char *webmailips[] = { "127.0.0.1" };
  109 
  110 int ConnType = 0;
  111 
  112 int main( int argc, char **argv)
  113 {
  114  char *tmpstr;
  115 
  116   if ( (IpAddr = get_remote_ip())  == NULL) IpAddr="";
  117   if ( (tmpstr = getenv("TCPLOCALPORT")) == NULL) LocalPort = 0;
  118   else LocalPort = atoi(tmpstr);
  119 
  120   /* Check which port they are coming in on and
  121    * setup the log name and connection type
  122    */
  123   switch(LocalPort) {
  124     case 25:
  125       strcpy(VchkpwLogName, "vchkpw-smtp");
  126       ConnType = SMTP_CONN;
  127       break;
  128     case 110:
  129       strcpy(VchkpwLogName, "vchkpw-pop3");
  130       ConnType = POP_CONN;
  131       break;
  132     case 143:
  133       strcpy(VchkpwLogName, "vchkpw-imap");
  134       ConnType = IMAP_CONN;
  135       break;

I believe that if dovecot pass the parameter TCPLOCALPORT to vpopmail 
everything would work as expected, instead of being classified in this case:


  152      default:
  153       sprintf(VchkpwLogName, "vchkpw-%u", LocalPort);
  154       /*
  155        * We're running on an unknown port, so it could be any one of
  156        * the three protocols (SMTP, POP or IMAP).  Try to guess the
  157        * protocol based on argv[1].  For SMTP AUTH, argv[1] is usually
  158        * /bin/true.  For IMAP, it's usually imapd (or something like
  159        * that).  Keep the old default of POP.
  160        * Note that the popular Courier-IMAP does not use vchkpw, it
  161        * links libvpopmail directly into its server.
  162        */

Timo could you give us a hand in solving this problem? This feature vpopmail 
is very interesting and useful for us.

My dovecot config:
# dovecot -n
# 1.1.1: /etc/dovecot.conf
log_path: /var/log/dovecot/dovecot-err.log
info_log_path: /var/log/dovecot/dovecot.log
ssl_cert_file: /etc/apache2/ssl/server.crt
ssl_key_file: /etc/apache2/ssl/server.pem
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/imap-login
login_greeting: Ready
login_process_per_connection: no
first_valid_uid: 89
mail_drop_priv_before_exec: yes
mail_executable: /usr/local/bin/courier-dovecot-migrate
mail_plugins: quota imap_quota
namespace:
  type: private
  separator: .
  prefix: INBOX.
  inbox: yes
  list: yes
  subscriptions: yes
auth default:
  passdb:
    driver: checkpassword
    args: /home/vpopmail/bin/vchkpw
  userdb:
    driver: prefetch
plugin:
  quota: maildir

Thanks.
-- 
Alessio Cecchi is:
@ ILS -> http://www.linux.it/~alessice/
Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/
@ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
@ LOLUG -> neo-Socio http://www.lolug.net

More information about the dovecot mailing list