Hi there, I posted this question in ServerFault (https://serverfault.com/questions/1170095/proper-syntax-for-using-allow-nets...) but haven't gotten an answer after 10 days so thought I'd try here, I appreciate any help you can offer!
I want to allow for two auth methods in dovecot via SQL. First, the traditional route where the password is hashed with |SHA512-CRYPT| and compared to the DB response. Second, where the request is coming from a user already authenticated by a different part of the local system, and the hash itself is passed and compared as |PLAIN|.
It works perfectly with the following |auth-sql.conf.ext| and associated sql files...
|# Passdb for traditional method passdb { driver = sql args = /etc/dovecot/conf.d/dovecot-sql.conf.ext } # Passdb for hybrid method (direct hash comparison) passdb { driver = sql args = /etc/dovecot/conf.d/dovecot-sql-hybrid.conf.ext } # Userdb prefetch to use attributes from the passdb query userdb { driver = prefetch } # Userdb static as fallback for default attributes userdb { driver = static args = uid=vmail gid=vmail home=/srv/mail/%d/%n } |
The problem I'm having is that I want to secure the second hybrid |PLAIN| method so that it can only be used by the local host using the |allow_nets| argument. In the documentation <https://doc.dovecot.org/2.3/configuration_manual/authentication/allow_nets/#authentication-allow-nets> it shows that I should simply add it to the |args| like this...
|args = /etc/dovecot/conf.d/dovecot-sql-hybrid.conf.ext allow_nets=local,127.0.0.1/32 |
But as soon as I do this, the logs show that it's trying to open the entire string as if the |allow_nets...| argument is part of the path, and fails to find the file. I've tried moving the |allow_nets| argument to the beginning, but that had the same result.
What is the correct syntax for using |allow_nets| with |passdb sql|?
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.14.0-503.21.1.el9_5.x86_64 x86_64 Rocky Linux release 9.5 (Blue Onyx) xfs
Thanks, Kevin.