On 2022-04-08 12:29, Vlastimil Wagner wrote:
Hi is possible authentication by ip address in dovecot? What i need. Now auth is by PAM (Active directory), i want application password (its plugin to Roundcube, passwords in mysql) for example android email client. I know that Multiple Authentication Databases work but i want when user auth from public network use sql and when from internal network use both sql and then pam.
thanks for help
Bukowski
Hi there,
Check Dovecot post login scripting, refer to https://doc.dovecot.org/admin_manual/post_login_scripting/.
In post login script you can have access to $USER string, containing email address as well as Fields " returned by userdb lookup with their keys uppercased (e.g. if userdb returned home, it’s stored in HOME). "
E.g. use the following snippets in bash script, to perform additional authentication, and check first if $IP is present in a whitelist file i.e. internal then perform it.
You can retrieve PAM credentials for a "username" using:- cat /etc/shadow | grep username
Retrieve user password from DB and make use in following to generate its hash or instead of openssl use doveadm command if its more suitable:- openssl passwd -1 -salt TrOIigLp PASSWORD
Retrieve password hash, algorithm and salt from PAM credentials string:-
Find way to compare the password hash with the generated one, I think its doable using python yet I have not tested by myself.
In bash script use following e.g. to pass the post login script authentication:-
if [[ $authenticated = true ] && [$IP_PRESENT = true]] ; then
exec "$@"
elif [[ $IP_PRESENT = false ]]
exec "$@"
else
exit 0
fi
Any question please don't hesitate.
Zakaria.