Tere.
As I told once, I have firewall protected network in which also mailserver (dovecot/postfix) runs, and every local user with account, can access it. Now I have some privileged users which need access also from outside, true firewall:
let the group1 members access mailserver from 0.0.0.0/0 let the group2 members access mailserver from 172.0.0.0/24
group1 members are also members of group2 and logically group1 members should access mailserver from every network, including 172.0.0.0/24 and group1 members should access mailserver only from 172.0.0.0/24 network.
So I try'd to make this happend with dovecot, made a separate passwd file and configured dovecot to use it:
dovecot: Apr 11 13:42:48 Info: auth(default): passwd-file /etc/dovecot.outusers: Read 2 users
/etc/dovecot.outusers includes
test1:{plain}test1:500:502::/home/test::mail=maildir:~/Maildir allow_nets=0.0.0.0 test2:{plain}test2:501:502::/home/test2::mail=maildir:~/Maildir allow_nets=172.0.0.0/24 192.0.0.0/24
Still connecting from 172.17.25.3 to both accounts worked well so seems the code doesn't work.
So next step to do it, was pam:
/etc/pam.d/dovecot.pam includes:
auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth account required pam_access.so
/etc/security/access.conf includes:
+:group1:ALL +:group2:172. 192. -:ALL:ALL
And it works. Maybe this information is useful for someone.
-- Sysadmin