[Dovecot] Enable IMAP only for certain users/IP
Robert Schetterer
rs at sys4.de
Wed May 29 11:46:42 EEST 2013
Am 29.05.2013 10:37, schrieb Simone Marx :: Edinet Srl:
> Hi,
> I'm trying to config dovecot to enable IMAP protocol only for certain
> IPs and users.
> The logical steps I've followed are:
> 1. If a user is trying to login from an IP that I've authorized ( listed
> in a file) the request is authorized.
> 2. If not, if the user is listed in a second file the request is
> authorized.
> 3. If also this check fails the request is rejected.
>
> I'm using PAM for passdb and a passwd-file for userdb:
>
> passdb {
> driver = pam
> args = session=yes failure_show_msg=yes max_requests=16
> cache_key=%u%r%l dovecot-%s
> }
>
> userdb {
> driver = passwd-file
> args = /etc/passwd-dovecot
> }
>
>
> In /etc/pam.d/ there are two files:
> dovecot-pop3
> dovecot-imap
>
> dovecot-pop3:
>
> #%PAM-1.0
>
> @include common-auth
> @include common-account
> @include common-session
>
> (for this protocol everything works fine, I don't want to limit it.)
>
>
> dovecot-imap:
>
> #%PAM-1.0
>
> @include common-auth
>
> auth sufficient pam_listfile.so item=rhost sense=allow
> file=/etc/dovecot/imaphosts onerr=fail
> auth required pam_listfile.so item=user sense=allow
> file=/etc/dovecot/imapusers onerr=fail
>
> @include common-account
> @include common-session
>
>
> If I'm not wrong, once the user is authenticated, PAM checks if the
> remote IP address is in imaphosts; if it's true,
> it returns PAM_SUCCESS and stops the execution of the auth block, else
> if it's false, PAM executes the next line, verifying the presence of the
> username in imapusers file; if found, then return PAM_SUCCESS, else fail.
>
> If this can work, I've a problem with pam_listfile.so and IP addresses:
> I want to do something smarter than specifying 2^11 IP addresses instead
> a /21 or IP/netmask
>
> Are there alternatives for doing it better?
>
> Thanks.
>
> Sincerely,
> Simone Marx.
>
you may have a look at
http://wiki.dovecot.org/Authentication/RestrictAccess
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the dovecot
mailing list