[Dovecot] Dovecot's as ip/user based login filter?
Hello.
I'm facing a problem, I need to give access to internal mailserer for some people only, but can't figure out how to do it. Opening the 993 port for whole word gives access to everyone who have account.
Can Dovecot act as login filter or etc for that purpose. Or does anybody have idea how to do it?
-- Sysadmin
I dont know if Dovecot could handle this itself, but it shouldn't be a huge problem creating some iptable rules to handle what you need. Check this link for ideas and examples.
http://hacks.oreilly.com/pub/h/45
Hope that helps.
Joe
Sysadmin wrote:
Hello.
I'm facing a problem, I need to give access to internal mailserer for some people only, but can't figure out how to do it. Opening the 993 port for whole word gives access to everyone who have account.
Can Dovecot act as login filter or etc for that purpose. Or does anybody have idea how to do it?
-- The information in this e-mail and in any attachments is confidential and intended solely for the attention and use of the named addressee(s). This information may be subject to legal, professional, or other privilege, or may otherwise be protected by work product, immunity or other legal rules. It must not be disclosed to any person without the sender's authority. If you are not the intended recipient, or are not authorized to receive it for the intended recipient, you are not authorized to, and must not, disclose, copy, distribute, or retain this message or any part of it.
Thank you very much. HostPC Internet Services
On Mon, 2006-04-10 at 11:44 +0300, Sysadmin wrote:
Hello.
I'm facing a problem, I need to give access to internal mailserer for some people only, but can't figure out how to do it. Opening the 993 port for whole word gives access to everyone who have account.
Can Dovecot act as login filter or etc for that purpose. Or does anybody have idea how to do it?
Dovecot 1.0beta4 and newer support "allow_nets" field userdb. So with SQL you'd do eg.:
select uid, gid, home, allow_nets from users where username = '%u'
where allow_nets contains something like: 192.168.0.0/24,10.0.0.0/8
Or the same is possible with passwd-file, etc.
Tere.
Dovecot 1.0beta4 and newer support "allow_nets" field userdb. So with SQL you'd do eg.:
select uid, gid, home, allow_nets from users where username = '%u'
where allow_nets contains something like: 192.168.0.0/24,10.0.0.0/8
Or the same is possible with passwd-file, etc.
Thank You from hint, I looks promising.
However, I don't use SQL, dovecot.conf shows using passdb pam, so passwd file solution seems reasonable, would You kindly give more hints about this allow_nets parameter and I still can't figure out how to set different settings, basically situation is - I have firewall protected network in which also mailserver runs, and everyone with account, can access it. Now I have some privileged users which need access also from outside, true firewall, so seems I must use kind of two pair of rules, something like:
First, default rule, where I define my networks, like 192.168.0.0/24,10.0.0.0/8 and this allow all users from these networks to access dovecot. I presume I can't define networks this way = 192.168.0.0/24,10.0.0.0/8:993
Second, special rule, where I define other networks, like 0.0.0.0 and allowe some privileged users to access from these networks.
Or You mean that all others use default networks like before, and with this allow_nets I just add 0.0.0.0 to every privileged user? Can I make a group or I must list every one with his own rule?
I need also give also Postfix-sasl access for these privileges users, but I think I'll solve it adding their account/password for sasl into sasldb only.
-- Sysadmin
Tere.
Dovecot 1.0beta4 and newer support "allow_nets" field userdb. So with SQL you'd do eg.:
select uid, gid, home, allow_nets from users where username = '%u'
where allow_nets contains something like: 192.168.0.0/24,10.0.0.0/8
Or the same is possible with passwd-file, etc.
Ok, now I found example in wiki, however can I use this "allow_nets" field with existing pam for example to add some stuff in /etc/passwd user line?
And when I made a separate passwd file and configured dovecot to use it:
dovecot: Apr 11 13:42:48 Info: auth(default): passwd-file /etc/dovecot.outusers: Read 2 users
/etc/dovecot.outusers includes
test1:{plain}test1:500:502::/home/test::mail=maildir:~/Maildir allow_nets=0.0.0.0 test1:{plain}test2:501:502::/home/test2::mail=maildir:~/Maildir allow_nets=192.168.0.0/24
So I made a test, connecting from 172.17.25.3 to both accounts worked well, if my conf -s syntax are ok, then what is wrong?
-- Sysadmin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sysadmin wrote: ...snip...
And when I made a separate passwd file and configured dovecot to use it:
dovecot: Apr 11 13:42:48 Info: auth(default): passwd-file /etc/dovecot.outusers: Read 2 users
/etc/dovecot.outusers includes
test1:{plain}test1:500:502::/home/test::mail=maildir:~/Maildir allow_nets=0.0.0.0 test1:{plain}test2:501:502::/home/test2::mail=maildir:~/Maildir allow_nets=192.168.0.0/24
So I made a test, connecting from 172.17.25.3 to both accounts worked well, if my conf -s syntax are ok, then what is wrong?
The only thing I can think of is that because they both have the same username (test1) that the first is overriding the second and allowing access from 0.0.0.0 (i.e. anywhere).
try changing the username on the 2nd line to be test2 and see if that has any effect.
Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEPIalE2gsBSKjZHQRAiR7AKCNOiZVsBL8LzFh1f3V6Q7PygabVQCgz3kJ hHBEchWaLZjLmPIP1f0f09Y= =aZLQ -----END PGP SIGNATURE-----
Tere.
The only thing I can think of is that because they both have the same username (test1) that the first is overriding the second and allowing access from 0.0.0.0 (i.e. anywhere).
try changing the username on the 2nd line to be test2 and see if that has any effect.
Actually the original conf included different names etc, this was just an example, so the typo there doesn't count :(.
-- Sysadmin
Tere.
As I told once, I have firewall protected network in which also mailserver (dovecot/postfix) runs, and every local user with account, can access it. Now I have some privileged users which need access also from outside, true firewall:
let the group1 members access mailserver from 0.0.0.0/0 let the group2 members access mailserver from 172.0.0.0/24
group1 members are also members of group2 and logically group1 members should access mailserver from every network, including 172.0.0.0/24 and group1 members should access mailserver only from 172.0.0.0/24 network.
So I try'd to make this happend with dovecot, made a separate passwd file and configured dovecot to use it:
dovecot: Apr 11 13:42:48 Info: auth(default): passwd-file /etc/dovecot.outusers: Read 2 users
/etc/dovecot.outusers includes
test1:{plain}test1:500:502::/home/test::mail=maildir:~/Maildir allow_nets=0.0.0.0 test2:{plain}test2:501:502::/home/test2::mail=maildir:~/Maildir allow_nets=172.0.0.0/24 192.0.0.0/24
Still connecting from 172.17.25.3 to both accounts worked well so seems the code doesn't work.
So next step to do it, was pam:
/etc/pam.d/dovecot.pam includes:
auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth account required pam_access.so
/etc/security/access.conf includes:
+:group1:ALL +:group2:172. 192. -:ALL:ALL
And it works. Maybe this information is useful for someone.
-- Sysadmin
On Thu, 2006-04-13 at 10:42 +0300, Sysadmin wrote:
So I try'd to make this happend with dovecot, made a separate passwd file and configured dovecot to use it:
dovecot: Apr 11 13:42:48 Info: auth(default): passwd-file /etc/dovecot.outusers: Read 2 users
/etc/dovecot.outusers includes
test1:{plain}test1:500:502::/home/test::mail=maildir:~/Maildir allow_nets=0.0.0.0 test2:{plain}test2:501:502::/home/test2::mail=maildir:~/Maildir allow_nets=172.0.0.0/24 192.0.0.0/24
Still connecting from 172.17.25.3 to both accounts worked well so seems the code doesn't work.
So, I tested this now myself and it does seem to work in my tests..
One problem that I had was that the allow_nets setting (or others) weren't used at all if you also didn't have the same file set as "userdb passwd-file". But looking at the data in the file it looks like you did use it?
Also other problem that I see is that the networks should have been separated with commas.
Anyway, I also now added to CVS that if auth_debug=yes it'll print some debug messages when checking the networks.
participants (4)
-
Alan Premselaar
-
Joe
-
Sysadmin
-
Timo Sirainen