Hi, I'm trying to config dovecot to enable IMAP protocol only for certain IPs and users. The logical steps I've followed are: listed in a file) the request is authorized.
- If a user is trying to login from an IP that I've authorized (
- If not, if the user is listed in a second file the request is authorized.
- If also this check fails the request is rejected.
I'm using PAM for passdb and a passwd-file for userdb:
passdb { driver = pam args = session=yes failure_show_msg=yes max_requests=16 cache_key=%u%r%l dovecot-%s }
userdb { driver = passwd-file args = /etc/passwd-dovecot }
In /etc/pam.d/ there are two files: dovecot-pop3 dovecot-imap
dovecot-pop3:
#%PAM-1.0
@include common-auth @include common-account @include common-session
(for this protocol everything works fine, I don't want to limit it.)
dovecot-imap:
#%PAM-1.0
@include common-auth
auth sufficient pam_listfile.so item=rhost sense=allow file=/etc/dovecot/imaphosts onerr=fail auth required pam_listfile.so item=user sense=allow file=/etc/dovecot/imapusers onerr=fail
@include common-account @include common-session
If I'm not wrong, once the user is authenticated, PAM checks if the remote IP address is in imaphosts; if it's true, it returns PAM_SUCCESS and stops the execution of the auth block, else if it's false, PAM executes the next line, verifying the presence of the username in imapusers file; if found, then return PAM_SUCCESS, else fail.
If this can work, I've a problem with pam_listfile.so and IP addresses: I want to do something smarter than specifying 2^11 IP addresses instead a /21 or IP/netmask
Are there alternatives for doing it better?
Thanks.
Sincerely, Simone Marx.