[Dovecot] restricting access by reverse domain name
Is there a feature or plugin to restrict access to IMAP/POP service by the domain name in reverse lookup? It would be even better if this restriction can exclude certain users (e.g. some users can access IMAP from certain networks but other users cannot).
-- sHiFt HaPpEnS!
On Mon, 2010-08-09 at 10:55 -0400, Phil Howard wrote:
Is there a feature or plugin to restrict access to IMAP/POP service by the domain name in reverse lookup?
With v2.0 you could use tcp-wrappers.
It would be even better if this restriction can exclude certain users (e.g. some users can access IMAP from certain networks but other users cannot).
Then you need to check this during authentication. What passdb do you use? There is http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets but it doesn't do reverse DNS lookups. For that you'd need to a) use passdb pam with some PAM plugin, b) use passdb checkpassword with your own script, c) add some new code to Dovecot or create a plugin.
On Mon, Aug 9, 2010 at 11:18, Timo Sirainen tss@iki.fi wrote:
On Mon, 2010-08-09 at 10:55 -0400, Phil Howard wrote:
Is there a feature or plugin to restrict access to IMAP/POP service by the domain name in reverse lookup?
With v2.0 you could use tcp-wrappers.
It would be even better if this restriction can exclude certain users (e.g. some users can access IMAP from certain networks but other users cannot).
Then you need to check this during authentication. What passdb do you use? There is http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets but it doesn't do reverse DNS lookups. For that you'd need to a) use passdb pam with some PAM plugin, b) use passdb checkpassword with your own script, c) add some new code to Dovecot or create a plugin.
Most (maybe all) cases will be allowing from all networks except certain ones. The first interest is to block "free web mail" services that users can access IMAP servers with.
I'm using passwd-file:
======================================================================== [...] auth default: mechanisms: plain login username_chars: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@+ username_format: %Ln@%Ld verbose: yes debug: yes debug_passwords: yes passdb: driver: passwd-file args: scheme=crypt username_format=%Ln /var/maildb/authdir/%Ld/passwd userdb: driver: passwd-file args: username_format=%Ln /var/maildb/authdir/%Ld/passwd socket: type: listen client: path: /var/spool/postfix/private/dovecot-auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail
-- sHiFt HaPpEnS!
participants (2)
-
Phil Howard
-
Timo Sirainen