[Dovecot] Problem with allow_nets passdb parameter and Postfix
I use Dovecot for SASL authentication from Postfix. In Postfix main.cf I have:
smtpd_sasl_type = dovecot
It works good, but now I need to allow users to connect by IMAP only from given IP adresses. I've added extra field allow_nets to passdb in Dovecot, and IMAP authentication works fine. But now I can't connect to my SMTP server because when smtpd ask dovecot about user authentification, dovecot always denied it. Even if I try to connect to SMTP from correct IP, listed in allow_nets for user. In dovecot log I have messages about incorrect ip like this:
dovecot: 2010-02-15 13:28:51 Info: auth(default): passwd-file(malamut): lookup: user=malamut file=/etc/dovecot/temp.users dovecot: 2010-02-15 13:28:51 Info: auth(default): passdb(malamut): allow_nets check failed: Remote IP not known dovecot: 2010-02-15 13:28:53 Info: auth(default): client out: FAIL 7 user=malamut
Problem is clear: smtpd don't send client IP to dovecot authentication socket. But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny.
On Mon, 2010-02-15 at 14:00 +0300, Неворотин Вадим wrote:
allow_nets check failed: Remote IP not known
Problem is clear: smtpd don't send client IP to dovecot authentication socket.
Yep. The only way you can get Postfix to send IP to Dovecot is by patching Postfix sources.
But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny.
Do you mean all users must connect from only specific IP, or is it a per-user configuration? If all users, maybe you can do this on Postfix side some other way. Or require clients to use submission port or a different IP and use a firewall.
Well, I've asked this question in Postfix mail list and after discussion as I understand Postfix 2.7 send all necessary client information to Dovecot socket. But I haven't try this solution yet.
2010/2/18 Timo Sirainen <tss@iki.fi>
On Mon, 2010-02-15 at 14:00 +0300, Неворотин Вадим wrote:
allow_nets check failed: Remote IP not known
Problem is clear: smtpd don't send client IP to dovecot authentication socket.
Yep. The only way you can get Postfix to send IP to Dovecot is by patching Postfix sources.
But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny.
Do you mean all users must connect from only specific IP, or is it a per-user configuration? If all users, maybe you can do this on Postfix side some other way. Or require clients to use submission port or a different IP and use a firewall.
Oh. I actually checked v2.7 code before replying, but I was stupidly searching only for a full "rip" word, while the code had "\trip" :)
On Thu, 2010-02-18 at 18:41 +0300, Неворотин Вадим wrote:
Well, I've asked this question in Postfix mail list and after discussion as I understand Postfix 2.7 send all necessary client information to Dovecot socket. But I haven't try this solution yet.
2010/2/18 Timo Sirainen <tss@iki.fi>
On Mon, 2010-02-15 at 14:00 +0300, Неворотин Вадим wrote:
allow_nets check failed: Remote IP not known
Problem is clear: smtpd don't send client IP to dovecot authentication socket.
Yep. The only way you can get Postfix to send IP to Dovecot is by patching Postfix sources.
But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny.
Do you mean all users must connect from only specific IP, or is it a per-user configuration? If all users, maybe you can do this on Postfix side some other way. Or require clients to use submission port or a different IP and use a firewall.
participants (2)
-
Timo Sirainen
-
Неворотин Вадим