Restrict IMAP login, but allow Postfix SASL

Aki Tuomi aki.tuomi at open-xchange.com
Wed Jun 1 16:30:35 UTC 2022


> On 01/06/2022 18:50 Hippo Man <hippoman at gmail.com> wrote:
> 
> 
> 
> > There's a facility to add arbitrary code to the imap login process,
> >  e.g., in "10-master.conf":
> >  
> >  service imap-postlogin {
> >  executable = script-login /local/bin/imap-wrapper
> >  user = $default_internal_user
> >  unix_listener imap-postlogin {
> >  }
> >  }
> 
> Just wondering: is there some sort of pre-login scripting facility for validation,
> as well as this post-login mechanism? I couldn't find anything like this in
> the Dovecot docs, but perhaps I missed something.
> 
> I'd like to be able to have the IP address, the protocol, the user ID, and
> the password examined before even passing the request to the standard
> login mechanism, and I'd like to be able to reject the request even prior
> to login. And a nice-to-have would also be the ability to alter the request
> before it gets passed on to the login mechansim.
> 
> Am I out of luck?
> 
> -- 
>  hippoman at gmail.com
>  Take a hippopotamus to lunch today.


In authentication, you can use %{service} variable to expand into whatever service the user is trying to log into.

Dovecot also has auth policy server support, which allows you to do various prederminations prior actual authentication, see https://doc.dovecot.org/configuration_manual/authentication/auth_policy/

Akki


More information about the dovecot mailing list