Phil,
The documentation says to authenticate only from a specific IP or network… if you set this to 127.0.0.1 to indicate the local loop then this effectively blocks every IP address but this one. Since the extra field is in passdb then this would imply it can be done on a per user basis I considered this solution, but it isn't what I have in mind; everyone must be able to fetch POP3/IMAP mail, but some users have to be blocked. In other words: user JohnDoe can't fetch his mail thru Dovecot, but can still logon thru webmail with his username/password. JaneDoe can both fetch her mail with POP3/IMAP as well as thru webmail with her username/password.
I think I overlook something here, but haven't find a right solution yet. Perhaps a plugin??
Jos