On 16/03/2023 03:58 EET jeremy ardley <jeremy@ardley.org> wrote:
On 16/3/23 06:31, Aymeric Agon-Rambosson wrote:
I have a solution to my problem.
For reference, I am putting it here :
A simple way to restrict login based on uids is to modify the file as such :
#%PAM-1.0
auth required pam_succeed_if.so uid > 500 quiet @include common-auth @include common-account @include common-session
It is possible for dovecot sasl component to use different authorisation back-ends, such as LDAP, GSSAPI, MySQL etc. These do not necessarily have the ability to reject uid < 500.
However, generally, these backends can be used by pam as well. In default debian installations:
cat dovecot #%PAM-1.0
#auth required pam_faillock.so preauth silent audit #auth [default=die] pam_faillock.so authfail audit
@include common-auth @include common-account @include common-session
cat common-auth
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms.
A good practice would be to use postfix --> dovecot/sasl --> pam --> backend server and do the uid vetting in the dovecot pam configuration
Dovecot itself can reject uid < 500. Just set first_valid_uid = 500 and first_valid_gid = 500.
Aki
--
Jeremy