Hi at all, in our test environment, I'm playing with dovecot 2.1.13 configured as imap/pop/managesieve proxy. It is configured to authenticate users with ldap and it works very well.

Now, I'd like to temporary disable some users's login, because we are moving to another storage, and I wouldn't stop imap service at all.

I've found on Dovecot wiki that I could use 'nologin' extra field, but I wasn't been able to get it work. My dovecot configuration is:

# 2.1.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 ... auth_debug = yes auth_debug_passwords = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no listen = * mail_debug = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = imap pop3 sieve service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } ssl = no ssl_cert =

and my 'dovecot-ldap.conf.ext' is:

uris = ldap://ldap.example.it/ dn = "cn=Reader,dc=example,dc=it" dnpass = password base = ou=People,dc=example,dc=it pass_attrs = uid=user,userPassword=password,\

=userdb_home=/var/spool/mail/%1u/%u,uidNumber=userdb_uid,gidNumber=userdb_gid,
=proxy=y,=host=imap.example.it,
=nologin=y pass_filter = (&(objectClass=qmailUser)(uid=%u)(accountStatus=active))

With this configuration, all users can login, and log said:

Jan 23 09:16:18 localhost dovecot: master: Dovecot v2.1.13 starting up (core dumps disabled) Jan 23 09:16:33 localhost dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jan 23 09:16:33 localhost dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jan 23 09:16:33 localhost dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jan 23 09:16:33 localhost dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jan 23 09:16:33 localhost dovecot: auth: Debug: auth client connected (pid=3660) Jan 23 09:16:33 localhost dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=PsbzT/DT+gCTeiwf#011lip=192.168.129.109#011rip=192.168.44.31#011lport=143#011rport=53754 Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: CONT#0111#011 Jan 23 09:16:33 localhost dovecot: auth: Debug: client in: CONT#0111#011AHByb3ZhZm0AY2hlcGFsbGU= Jan 23 09:16:33 localhost dovecot: auth: Debug: ldap(prova,147.122.44.31,): pass search: base=ou=People,dc=example,dc=it scope=subtree filter=(&(objectClass=qmailUser)(uid=prova)(accountStatus=active)) fields=uid,userPassword,uidNumber,gidNumber,uid,uid Jan 23 09:16:33 localhost dovecot: auth: Debug: ldap(prova,192.168.44.31,): result: uid=prova uidNumber=2944 gidNumber=650 userPassword={MD5}BjbsTtSovVAs1csswBTI7Q== Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: OK#0111#011user=prova#011proxy#011host=imap.example.it#011nologin#011hostip=192.168.11.136#011pass=password Jan 23 09:16:33 localhost dovecot: imap-login: proxy(prova): started proxying to imap.example.it:143: user=<prova>, method=PLAIN, rip=192.168.44.31, lip=192.168.129.109, session=

As you can see 'nologin' field is present in 'passdb' answer, but it doesn't seem to work.

If instead I try to disable login with 'allow_nets' extra field, it works as expected:

'dovecot-ldap.conf.ext': ... pass_attrs = uid=user,userPassword=password,\

=userdb_home=/var/spool/mail/%1u/%u,uidNumber=userdb_uid,gidNumber=userdb_gid,
=proxy=y,=host=imap.example.it,
=allow_nets=127.0.0.0/8

dovecot log:

Jan 22 18:28:19 localhost dovecot: master: Dovecot v2.1.13 starting up (core dumps disabled) Jan 22 18:28:32 localhost dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jan 22 18:28:32 localhost dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jan 22 18:28:32 localhost dovecot: auth: Debug: auth client connected (pid=3178) Jan 22 18:28:32 localhost dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011lip=192.168.129.109#011rip=192.168.44.31# 011lport=143#011rport=53218 Jan 22 18:28:32 localhost dovecot: auth: Debug: client out: CONT#0111#011 Jan 22 18:28:32 localhost dovecot: auth: Debug: client in: CONT#0111#011AHByb3ZhZm0AY2hlcGFsbGU= Jan 22 18:28:32 localhost dovecot: auth: Debug: ldap(prova,192.168.44.31): pass search: base=ou=People,dc=example,dc=it scope=subtree filt er=(&(objectClass=qmailUser)(uid=prova)(accountStatus=active)) fields=uid,userPassword,uidNumber,gidNumber Jan 22 18:28:32 localhost dovecot: auth: Debug: auth(prova,192.168.44.31): allow_nets: Matching for network 127.0.0.0/8 Jan 22 18:28:32 localhost dovecot: auth: passdb(prova,192.168.44.31): allow_nets check failed: IP not in allowed networks Jan 22 18:28:32 localhost dovecot: auth: Debug: ldap(prova,192.168.44.31): result: uid=prova uidNumber=2944 gidNumber=650 userPassword={MD5}BjbsTtSovGGs1csswBTI7Q== Jan 22 18:28:34 localhost dovecot: auth: Debug: client out: FAIL#0111#011user=prova

I don't understand what is wrong with my configuration with 'nologin'.
Do someone have any clue ??

Cheers, Marco