Thanks Rick!
I have a handful of users on the server but I am the only one requiring secure access to my mail while travelling. Everything is installed on one box. I will give you recommendation a try so thank you for that.
One option I was thinking about is as well, is it possible to use "throw away one time passwords" with my setup? As described here:
http://blog.kevinvandervlist.nl/projects/roundcube-static-otp/
It would be *perfect* if I could access my mail "normally" from an IMAP client (Thunderbord/K9) using a strong password and then use a OTP (using Googles Authenticator) with a "throw away password" that can ONLY be used once!
This would allow me to login at an internet cafe with a throw away password and not care if its being recorded as it could only be used once anyway and couldn't be used with IMAP. is this a possibility?
I'm just trying to consider all the ideas :-)
On 05/05/2014 22:13, Rick Romero wrote:
You don't need vpopmail - that's just an example. It has it's own table structure.
Are you the only user - I missed that part of the question. If so, ignore the 'Bit Operator' part, you won't need it. That's to allow different types of access per user (and makes the query that much more complex).
Change your user table structure and add a 2nd password field named 'imap_password', then change your Dovecot query SQL to the below:
SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as password FROM virtual_users WHERE email='%u';
That will return the contents of 'password' when you use webmail (assuming it's all installed on one box), and 'imap_password' when you connect from any other system.
If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and lock it down) or another visual MySQL client.
If there are multiple users, you'll need to either change the query to just match your username or add another field to do a bit check and make the query more complex... :)
Rick
Quoting SIW <bov@bsdpanic.com>:
Hi Rick
I really appreciate your response!
Unfortunately my SQL is, how can we say, very basic. I built my server using the Linode guide at:
https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql
Currently my password query looks as follows:
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
I'm not familiar with VPopMail, would I need it in this situation? Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.
On 05/05/2014 21:32, Rick Romero wrote:
Quoting Professa Dementia <professa@dementianati.com>:
On 5/5/2014 1:05 PM, SIW wrote:
Thats a good point.
If I block IMAP/SMTP access to ONE user does that mean that particular user can't use Roundcube anymore?
That is correct. If you block IMAP, then webmail will not work.
Not necessarily.
From: http://wiki2.dovecot.org/AuthDatabase/VPopMail
"logically this means: show password for user=%n at domain=%d when imap on the account is not disabled and connection is not comming from localhost when webmail access on the account is not disabled and if imap for the domain is not disabled and (connection is not comming from localhost when webmail access for the domain is not disabled) when vlimits are not overriden on the account " # password_query = select pw_passwd as password FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid & 4)) and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );
So construct your SQL query in a way that your bit field in MySQL disables all access for a single user except when the source IP is your webmail server.
If you want multiple passwords, you can modify the password_query with iif statements based on the source IP or protocol.
Like: select iif(%r == '127.0.0.1' & pw_name== 'yourname' & pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from vpopmail ..... Of course that's specific to the vpopmail table... modify as needed for your own table structure... Rick