Hello list! Only recently joined, please excuse me if this is a stupid question.
I'd like to have 2 classes of user: those with shell accounts, and those without. They'll all have "real" accounts, for which the password can be checked with PAM. I've set up SSL too. What I want to arrange is for users with shell accounts not to be succeed in logging in to Dovecot without using TLS/SSL. I'll have to allow unencrypted logins (for non-shell users), but I want to reject/refuse such a login from someone with a shell account.
I've already made my exim do this, with the following logic in my authenticator there: if (pam auth ok) and ((tls) or (user's shell not listed in /etc/shells))
I haven't worked out how to make Dovecot do this, yet. So far I just tried using * as the PAM service name, in the hope that not only would pop3 or imap get passed through, but pop3s and imaps might, and I had a line in my /etc/pam.d/imap and pop like this: auth required pam_succeed_if.so debug shell notin /bin/bash:/bin/sh which worked, but unfortunately also got used for imapS logins. Then I realised this was likely to be the wrong thing anyway, because it would presumably only cover IMAPS on port 993, and not IMAP+TLS on the usual port 143.
So I've had a go but got it wrong. What should I do to get it right?
Cheers,
John.