If this is not possible (it would be a nice feature to add this), would it be solvable via extending the director cluster with 1 or 2 vm's only for api usage and set https://doc.dovecot.org/settings/core/#doveadm-allowed-commands on this vm's from ALL to e.g. fetch, copy, search for console and api doveadm. Dovecot configurations posted in https://dovecot.org/pipermail/dovecot/2021-August/122862.html
Christian
----- Ursprüngliche Nachricht ----- Von: Christian Küppers c.kueppers@onoffice.de Gesendet: Montag, 6. September 2021 12:03:06 An: dovecot@dovecot.org Betreff: Restricting commands used in http api
Hello,
is it possible to restrict api methods (https://doc.dovecot.org/admin_manual/doveadm_http_api/#api-methods) without restricting doveadm usage on console.
something like:
service doveadm { unix_listener doveadm-server { user = vmail } inet_listener { port = 2425 allowed_commands = ALL } inet_listener http { port = 8080 allowed_commands = fetch, copy, search #ssl = yes # uncomment to enable https } }
Reason for question: We want to be able to use all commands as administrators on console but some external software using the dovecot api should not be able to do admin like tasks like "doveadm director flush".
our setup: multiple replicated dovecot backend servers frontend with dovecot director ring and proxy enabled (provides api endpoint)
Kind regards, Christian Küppers Expert Administrator
onOffice GmbH Charlottenburger Allee 5 | 52068 Aachen Tel. +49 (0)241 446 86-0 | Fax. +49 (0)241 446 86-250 E-Mail:c.kueppers@onoffice.de| Web:www.onOffice.com
Registergericht: Amtsgericht Aachen, HRB 21420 Geschäftsführer: Dipl.-Kfm. Stefan Mantl Prokuristen: Janosch Reuschenbach, Kristina Andresen, Christian Mähringer