This method indeed seems to work ... thank you again!

In summary, I did this:

passdb {
  driver = passwd-file
  deny = yes
  args = username_format=%{rip} /etc/dovecot/deny.ip
}

... and the "deny.ip" file looks like this:

1.2.3.4:::::::: nopassword
5.6.7.8:::::::: nopassword

One further question: whenever I add additional lines to the "deny.ip"
file, will I need to restart dovecot, or will dovecot always read the
latest version of that file whenever it is validating a new IMAP
connection?

--
 hippoman@gmail.com
 Take a hippopotamus to lunch today.

    .---------, 0__0
   /           (  oo'---,
  /                    oo\
 ,\                      |
 | \                ,=__/
    \              /
    /  /------|  /|
    |__|-'    |__|'



On Tue, Aug 1, 2023 at 12:44 PM Hippo Man <hippoman@gmail.com> wrote:
Oh, OK. I'll investigate and test it.
Thank you!

--
 hippoman@gmail.com
 Take a hippopotamus to lunch today.

    .---------, 0__0
   /           (  oo'---,
  /                    oo\
 ,\                      |
 | \                ,=__/
    \              /
    /  /------|  /|
    |__|-'    |__|'



On Tue, Aug 1, 2023 at 12:24 PM aki.tuomi via dovecot <dovecot@dovecot.org> wrote:
1.2.3.4::::::::: nopassword

I think. Didn't have a chance to test it.

Aki


-------- Original message --------
From: Hippo Man <hippoman@gmail.com>
Date: 8/1/23 19:03 (GMT+02:00)
To: "aki.tuomi" <aki.tuomi@open-xchange.com>
Subject: Re: Forcing imap authentication failure for certain IP addresses

Thank you very much!

In your example, what would be the contents of the
/etc/dovecot/deny.ip file?

--
 hippoman@gmail.com
 Take a hippopotamus to lunch today.

    .---------, 0__0
   /           (  oo'---,
  /                    oo\
 ,\                      |
 | \                ,=__/
    \              /
    /  /------|  /|
    |__|-'    |__|'



On Tue, Aug 1, 2023 at 11:44 AM aki.tuomi via dovecot <dovecot@dovecot.org> wrote:

or you can use 

passdb {
  driver = passwd-file
  deny = yes
  args = username_formar=%{rip} /etc/dovecot/deny.ip
}


and write this in Lua.

Aki


-------- Original message --------
From: Hippo Man <hippoman@gmail.com>
Date: 8/1/23 18:14 (GMT+02:00)
Subject: Forcing imap authentication failure for certain IP addresses

I'm running dovecot 2.3.18 under Debian 11.

I want to do something that's a bit unusual: when IMAP connections are attempted
from a few specific IP addresses, I want to force an IMAP authentication failure
from those connections, no matter what user ID and password are specified.

I know that I can use iptables to completely block imap access from those IP
addresses to the IMAP ports. However, in these specific cases, I'd prefer that
the connection goes through to dovecot, but for dovecot then to always generate
authentication failures for those specific connections ... even if a valid
user ID and password happen to be specified.

Is there a way to do this in dovecot?

Thank you very much in advance.

--
 hippoman@gmail.com
 Take a hippopotamus to lunch today.

    .---------, 0__0
   /           (  oo'---,
  /                    oo\
 ,\                      |
 | \                ,=__/
    \              /
    /  /------|  /|
    |__|-'    |__|'

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org