Bad Signature - Auth by ip address

hi at hi at
Fri Apr 8 22:55:48 UTC 2022

On 2022-04-08 12:29, Vlastimil Wagner wrote:
> Hi
>  is possible authentication by ip address in dovecot?
>   What i need.
>  Now auth is by PAM (Active directory), i want application password
> (its plugin to Roundcube, passwords in mysql) for  example android
> email client.
>  I know that Multiple Authentication Databases work but i want when
> user auth from public network use sql and when from internal network
> use both sql and then pam.
> thanks for help
> Bukowski

Hi there,

Check Dovecot post login scripting, refer to

In post login script you can have access to $USER string, containing 
email address as well as Fields " returned by userdb lookup with their 
keys uppercased (e.g. if userdb returned home, it’s stored in HOME). "

E.g. use the following snippets in bash script, to perform additional 
authentication, and check first if $IP is present in a whitelist file 
i.e. internal then perform it.

You can retrieve PAM credentials for a "username" using:-
cat /etc/shadow | grep username

Retrieve user password from DB and make use
in following to generate its hash or instead of openssl use doveadm 
command if its more suitable:-
openssl passwd -1 -salt TrOIigLp PASSWORD

Retrieve password hash, algorithm and salt from PAM credentials string:-

Find way to compare the password hash with the generated one, I think 
its doable using python yet I have not tested by myself.

In bash script use following e.g. to pass the post login script 

if [[ $authenticated = true ] && [$IP_PRESENT = true]] ; then

    exec "$@"

elif [[ $IP_PRESENT = false ]]

    exec "$@"


    exit 0


Any question please don't hesitate.


More information about the dovecot mailing list