AW: Restricting commands used in http api

[Christian Küppers]

If this is not possible (it would be a nice feature to add this), would it
be solvable via extending the director cluster with 1 or 2 vm's only for api usage and
set https://doc.dovecot.org/settings/core/#doveadm-allowed-commands on this
vm's from ALL to e.g. fetch, copy, search for console and api doveadm.
Dovecot configurations posted in https://dovecot.org/pipermail/dovecot/2021-August/122862.html

Christian
 



----- Ursprüngliche Nachricht -----
Von: Christian Küppers c.kueppers at onoffice.de
Gesendet: Montag, 6. September 2021 12:03:06
An: dovecot at dovecot.org
Betreff: Restricting commands used in http api

Hello,

is it possible to restrict api methods
(https://doc.dovecot.org/admin_manual/doveadm_http_api/#api-methods)
without restricting doveadm usage on console.

something like:

service doveadm {
unix_listener doveadm-server {
user = vmail
}
inet_listener {
port = 2425
allowed_commands = ALL
}
inet_listener http {
port = 8080
allowed_commands = fetch, copy, search
#ssl = yes # uncomment to enable https
}
}

Reason for question: We want to be able to use all commands as
administrators on
console but some external software using the dovecot api should not be able
to do
admin like tasks like "doveadm director flush".

our setup:
multiple replicated dovecot backend servers
frontend with dovecot director ring and proxy enabled (provides api
endpoint)

Kind regards,
 
Christian Küppers
Expert Administrator

 

onOffice GmbH
Charlottenburger Allee 5 | 52068 Aachen
Tel. +49 (0)241 446 86-0 | Fax. +49 (0)241 446 86-250
E-Mail:c.kueppers at onoffice.de| Web:www.onOffice.com

 
Registergericht: Amtsgericht Aachen, HRB 21420
Geschäftsführer: Dipl.-Kfm. Stefan Mantl
Prokuristen: Janosch Reuschenbach, Kristina Andresen, Christian Mähringer