allow_nets with `local,127.0.0.1/32` defined, should do the trick - this assumes you don’t have any webmail running on the same host, since that would still allow authentication.

https://doc.dovecot.org/configuration_manual/authentication/allow_nets/ 

I use allow_nets to “suspend” user logins, but allow LMTP to continue to function for example.

On 1 Jun 2022, at 13:40, lutz.niederer@gmx.net wrote:

Hi,

we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users.
We also use this for Postfix authentication.  Nothing special.

But, we need to exclude some of the users from IMAP login.
This means, some users should be allowed to send mail via Postfix (submission) and therefore
authenticate via SASL against dovecot successfully, but they should not be allowed to login
to their IMAP mail box.

How could this be done?

Thanks!
-lutzn