[Dovecot] imap and vpopmail: per-domain auth
Hi, i have qmail + vpopmail + dovecot + squirrelmail 0.99.14 on Fedora Core 4. Qmail includes its own pop3 server, and everybody is able to access it from outside. Dovecot is used only locally by SquirrelMail - so everybody can access via webmail.
I'd like to make imap directly available from outside, but only for a few selected domains (NOT ip addresses!), while leaving everyone able to access with pop3 and/or via webmail.
I don't know if this is possible, and if it is, i don't even know where to start. Is it a vpopmail or dovecot setting?
Thank you for any suggestion and/or pointer to the right documentation.
-- Francesco
Il Monday 07 July 2008 17:31:00 Francesco Abeni ha scritto:
Hi, i have qmail + vpopmail + dovecot + squirrelmail 0.99.14 on Fedora Core 4. Qmail includes its own pop3 server, and everybody is able to access it from outside. Dovecot is used only locally by SquirrelMail - so everybody can access via webmail.
I'd like to make imap directly available from outside, but only for a few selected domains (NOT ip addresses!), while leaving everyone able to access with pop3 and/or via webmail.
I don't know if this is possible, and if it is, i don't even know where to start. Is it a vpopmail or dovecot setting?
Thank you for any suggestion and/or pointer to the right documentation.
Hi Francesco,
yes it is theoretically possible, but due to some problems this feature of vpopmail is not fully compatible with dovecot.
vpopmail via ~vpopmail/bin/vmoduser can set some limit to single users, example disble pop3, disable imap, disable imap except for webmail, etc ...
Dovect should move to vpopmail some parameters of the user who logged, as his
address and local port connection, but unfortunately these parameters are
not passed, or at least not be passed as would expect to receive vpopmail,
in particular for the connections made via imap from remote clients.
vpopmail is able to distinguish and restrict connections to users but to do so must be able to know where it comes from their connection, there are 3 main classifications that vpopmail knows:
POP3 webmail (imap from localhost) IMAP
From log you can identify these connections:
POP3: Jul 8 12:36:41 mail-server vpopmail[11560]: vchkpw-pop3: (PLAIN) login success joe@domain.it:98.52.67.8
Webmail: Jul 8 12:36:32 maill-server vpopmail[11456]: vchkpw-webmail: (PLAIN) login success pippo@domain.it:127.0.0.1
IMAP: Jul 8 12:37:45 mail-server vpopmail[11984]: vchkpw-imap: (PLAIN) login success alessiotest@domain.it:217.127.131.153
But with dovecot when you log-in from IMAP client (like thunderbird) in the log you can see:
Jul 8 12:37:45 mail-server vpopmail[11984]: vchkpw-0: .... [note the 0]
Investigating I discovered that this depends on whether dovecot vpopmail not go to the parameters that it expects to receive.
Reading the source vchkpw.c, from the vpopmail package, we understand very well how everything works:
See it from line 98 to line 195 http://vpopmail.cvs.sourceforge.net/vpopmail/vpopmail/vchkpw.c?view=markup
an extract:
98 #define POP_CONN 0 99 #define SMTP_CONN 1 100 #define IMAP_CONN 2 101 #define WEBMAIL_CONN 3 102 103 /* POP/IMAP connections from the following IPs will be classified as 104 * "web mail" instead of POP/IMAP. On single-server networks, this 105 * will typically be just 'localhost'. For clusters, add the IP 106 * addresses of all webmail servers. 107 */ 108 char *webmailips[] = { "127.0.0.1" }; 109 110 int ConnType = 0; 111 112 int main( int argc, char **argv) 113 { 114 char *tmpstr; 115 116 if ( (IpAddr = get_remote_ip()) == NULL) IpAddr=""; 117 if ( (tmpstr = getenv("TCPLOCALPORT")) == NULL) LocalPort = 0; 118 else LocalPort = atoi(tmpstr); 119 120 /* Check which port they are coming in on and 121 * setup the log name and connection type 122 */ 123 switch(LocalPort) { 124 case 25: 125 strcpy(VchkpwLogName, "vchkpw-smtp"); 126 ConnType = SMTP_CONN; 127 break; 128 case 110: 129 strcpy(VchkpwLogName, "vchkpw-pop3"); 130 ConnType = POP_CONN; 131 break; 132 case 143: 133 strcpy(VchkpwLogName, "vchkpw-imap"); 134 ConnType = IMAP_CONN; 135 break;
I believe that if dovecot pass the parameter TCPLOCALPORT to vpopmail everything would work as expected, instead of being classified in this case:
152 default: 153 sprintf(VchkpwLogName, "vchkpw-%u", LocalPort); 154 /* 155 * We're running on an unknown port, so it could be any one of 156 * the three protocols (SMTP, POP or IMAP). Try to guess the 157 * protocol based on argv[1]. For SMTP AUTH, argv[1] is usually 158 * /bin/true. For IMAP, it's usually imapd (or something like 159 * that). Keep the old default of POP. 160 * Note that the popular Courier-IMAP does not use vchkpw, it 161 * links libvpopmail directly into its server. 162 */
Timo could you give us a hand in solving this problem? This feature vpopmail is very interesting and useful for us.
My dovecot config: # dovecot -n # 1.1.1: /etc/dovecot.conf log_path: /var/log/dovecot/dovecot-err.log info_log_path: /var/log/dovecot/dovecot.log ssl_cert_file: /etc/apache2/ssl/server.crt ssl_key_file: /etc/apache2/ssl/server.pem disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/libexec/dovecot/imap-login login_greeting: Ready login_process_per_connection: no first_valid_uid: 89 mail_drop_priv_before_exec: yes mail_executable: /usr/local/bin/courier-dovecot-migrate mail_plugins: quota imap_quota namespace: type: private separator: . prefix: INBOX. inbox: yes list: yes subscriptions: yes auth default: passdb: driver: checkpassword args: /home/vpopmail/bin/vchkpw userdb: driver: prefetch plugin: quota: maildir
Thanks.
Alessio Cecchi is: @ ILS -> http://www.linux.it/~alessice/ Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/ @ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it @ LOLUG -> neo-Socio http://www.lolug.net
Alessio Cecchi ha scritto:
Il Monday 07 July 2008 17:31:00 Francesco Abeni ha scritto:
Hi, i have qmail + vpopmail + dovecot + squirrelmail 0.99.14 on Fedora Core 4. Qmail includes its own pop3 server, and everybody is able to access it from outside. Dovecot is used only locally by SquirrelMail - so everybody can access via webmail.
I'd like to make imap directly available from outside, but only for a few selected domains (NOT ip addresses!), while leaving everyone able to access with pop3 and/or via webmail.
Hi Francesco,
yes it is theoretically possible, but due to some problems this feature of vpopmail is not fully compatible with dovecot.
vpopmail via ~vpopmail/bin/vmoduser can set some limit to single users, example disble pop3, disable imap, disable imap except for webmail, etc ...
Dovect should move to vpopmail some parameters of the user who logged, as his address and local port connection, but unfortunately these parameters are not passed, or at least not be passed as would expect to receive vpopmail,
in particular for the connections made via imap from remote clients. (...)
Alessio, thank you for your very complete answer and evalutation of the problem. Since you have already set up a test environment, can you do me a favour and try one more thing? Specify - in dovecot.conf - the port on which imap should listen to, and see if it makes any difference to vpopmail.
Thank you again very much for your cooperation.
-- Francesco
Il Tuesday 08 July 2008 13:48:17 Francesco Abeni ha scritto:
Alessio Cecchi ha scritto:
Il Monday 07 July 2008 17:31:00 Francesco Abeni ha scritto:
Hi, i have qmail + vpopmail + dovecot + squirrelmail 0.99.14 on Fedora Core 4. Qmail includes its own pop3 server, and everybody is able to access it from outside. Dovecot is used only locally by SquirrelMail - so everybody can access via webmail.
I'd like to make imap directly available from outside, but only for a few selected domains (NOT ip addresses!), while leaving everyone able to access with pop3 and/or via webmail.
Hi Francesco,
yes it is theoretically possible, but due to some problems this feature of vpopmail is not fully compatible with dovecot.
vpopmail via ~vpopmail/bin/vmoduser can set some limit to single users, example disble pop3, disable imap, disable imap except for webmail, etc ...
Dovect should move to vpopmail some parameters of the user who logged, as his address and local port connection, but unfortunately these parameters are not passed, or at least not be passed as would expect to receive vpopmail, in particular for the connections made via imap from remote clients. (...)
Alessio, thank you for your very complete answer and evalutation of the problem. Since you have already set up a test environment, can you do me a favour and try one more thing? Specify - in dovecot.conf - the port on which imap should listen to, and see if it makes any difference to vpopmail.
Thank you again very much for your cooperation.
after changing the configuration like this
protocol imap { listen = *:143 ssl_listen = *:993 mail_plugins = quota imap_quota }
the result is the same :-(
Jul 8 14:17:42 gag18 vpopmail[7923]: vchkpw-0: (PLAIN) login success alessiotest@domain.it:217.127.131.153
Ciao
Alessio Cecchi is: @ ILS -> http://www.linux.it/~alessice/ Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/ @ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it @ LOLUG -> neo-Socio http://www.lolug.net
participants (2)
-
Alessio Cecchi
-
Francesco Abeni