On 11/25/2007, Marc Cuypers (m.cuypers@mgvd.be) wrote:

Charles Marcus wrote:

...

On 11/23/2007, Marc Cuypers (m.cuypers@mgvd.be) wrote:

...

# dovecot --version 1.0.rc15

...

Extremely old...

Upgrade...

Does your reply mean that allow_nets didn't work with version 1.0.

Not necessarily - it means its so old that I (and most likely more than a few others) don't want to hassle with checking to see what possible problems/bugs it had that are fixed in current releases.

Unlike myself, Timo could I'm sure answer a lot of question like this off the top of his head, but I'm also sure even he gets irritated by people who come here asking for help when they are running an ancient version.

In other words, as with all free software - the more current version, you are running, the easier it will be to get support...

--

Best regards,

Charles

On 11/26/2007, Marc Cuypers (m.cuypers@mgvd.be) wrote:

I'll try to compile dovecot 1.0.7 on a test machine (debian etch), and test again.

I forgot the best reason - improvements (sometimes major) in performance and behavior... its just 'better'... :)

--

Best regards,

Charles

Timo Sirainen schreef:

On Fri, 2007-11-23 at 16:12 +0100, Marc Cuypers wrote:

...

Some of the mail users may only login from the LAN, while others can login from the LAN and the internet.

I've read about allow_nets but i can't find very much info when dovecot is used with ldap. Can someone give me a direction (url, configuration file, ...).

You'll have to store the allow_nets field to LDAP using some name and tell Dovecot to use it in pass_attrs. On LDAP side you probably need some special schema (don't ask me about that) or you need to use some other existing field for that purpose.

pass_attrs anyway goes something like:

pass_attrs = uid=user,userPassword=password,someField=allow_nets

I already added the field allownets to the ldap database. Then i compiled dovecot 1.0.7 on a test machine and set dovecot up to use ldap. # dovecot --version 1.0.7

The LAN is using the addresses in the range 10.0.0.0/24. The test machine (server) is 10.0.0.224 and the client is 10.0.0.110 Even when allow_nets contains 127.0.0.1/8, 192.168.1.0/24, i get access. With this setting I thought i only could login from 127.0.0.1 and from the network 192.168.1.0/24.

Hereunder the logs and de configuration files.

dovecot: 2007-11-27 09:04:14 Info: auth(default): client in: AUTH 1 PLAIN service=IMAP secured lip=10.0.0.224 rip=10.0.0.110 dovecot: 2007-11-27 09:04:14 Info: auth(default): client out: CONT 1 dovecot: 2007-11-27 09:04:14 Info: auth(default): client in: CONT<hidden> dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110): bind: dn=uid=marc,ou=accounts,ou=people,dc=mgvd,dc=be dovecot: 2007-11-27 09:04:14 Info: auth(default): client out: OK 1 user=marc dovecot: 2007-11-27 09:04:14 Info: auth(default): master in: REQUEST 3 14412 1 dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110): user search: base=ou=accounts,ou=people,dc=mgvd,dc=be scope=subtree filter=(&(objectClass=postfixmail)(uid=marc)) fields=allownets dovecot: 2007-11-27 09:04:15 Info: auth(default): master out: USER 3 marc allow_nets=127.0.0.1/8, 192.168.1.1 uid=5001 gid=5002 dovecot: 2007-11-27 09:04:15 Info: imap-login: Login: user=<marc>, method=PLAIN, rip=10.0.0.110, lip=10.0.0.224, TLS dovecot: 2007-11-27 09:04:15 Info: auth(default): new auth connection: pid=14463

Configuration files used

protocols = imaps log_path = /var/log/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " mail_location = maildir:/home/mail/%u/Maildir mail_extra_groups = mail protocol imap { }

protocol pop3 { pop3_uidl_format = %08Xu%08Xv } auth_debug = yes auth default { mechanisms = plain login passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }

userdb ldap { args = /etc/dovecot/dovecot-ldap.conf } user = root socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } dict { } plugin { }

hosts = 127.0.0.1 dn=cn=manager,dc=mgvd,dc=be dnpass = <password> auth_bind = no auth_bind_userdn = uid=%u,ou=accounts,ou=people,dc=mgvd,dc=be base = ou=accounts,ou=people,dc=mgvd,dc=be scope = subtree user_attrs = allownets=allow_nets user_filter = (&(objectClass=postfixmail)(uid=%u)) pass_attrs = uid=user,userPassword=password,allownets=allow_nets pass_filter = (&(objectClass=postfixmail)(uid=%u)) user_global_uid = 5001 user_global_gid = 5002

-- Marc

Timo Sirainen schreef:

On Tue, 2007-11-27 at 09:20 +0100, Marc Cuypers wrote:

...

dovecot: 2007-11-27 09:04:14 Info: auth(default): ldap(marc,10.0.0.110): bind: dn=uid=marc,ou=accounts,ou=people,dc=mgvd,dc=be

So it binds.

...

auth_bind = no auth_bind_userdn = uid=%u,ou=accounts,ou=people,dc=mgvd,dc=be

I guess setting auth_bind_userdn makes Dovecot ignore auth_bind setting. Maybe I should change that.. Or I guess I'll do it only for v1.1. Anyway, do you want auth binds?

The problem is that if you set auth_bind_userdn, Dovecot doesn't do the pass_attrs/filter lookup at all, because that's what auth_bind_userdn optimization is for.

Commenting out auth_bind_userdn helps.

Now the problem is solved.

Many thanks.

I got a remark.

When allownets doesn't exist in ldap. The user is allowed to login. From a point of security this is not safe. When allownets is accidently removed from ldap, the user gets access from everywhere. I know that removing allownets should not happen, but it could.

Wouldn't it be safer, to deny access when allownets does not exist?

-- Marc