[Dovecot] Disable IMAP for certain users, but not Webmailer
Hi everybody,
I'm planning to set up our new mail system using the Dovecot mailbox server. It mostly works fine yet (it's quite straigt forward to set up, I'd say), but there's a thing I haven't been able to find out yet. We provide POP3 access for all users, but want to restrict IMAP access to some of them (because IMAP users tend to leave more messages on the server, thus increasing storage needs).
I used to do it by providing two services. One provided the public imap and checked a database flag during authentication, the other just provided IMAP on localhost and did not check the "allowed to use IMAP" flag.
What I've found for Dovecot is http://wiki.dovecot.org/Authentication/RestrictAccess While this allows me to provide full POP3 to everybody and in the same time restricting IMAP, I don't see a possibility
Is there any possibility to achieve what I need without having two completely separated instances of Dovecot running?
I'd appreciate any hints, pointers to documents etc.
Thanx, Baltasar
_____ FORMER 03 GmbH _____ infanteriestra§e 19 haus 6 eg _____ 80797 muenchen
_____ baltasar.cevc@former03.de _____ www.former03.de
_____ fon 089.322112.29 _____ fax 089.322112.11 _____ mobil 0178.691.2233
_____ geschftsfhrer _____ sebastian fiedler _____ gert zellentin
_____ handelsregister _____ HRB Mnchen 148468
_____ steuer _____ ust.-id DE 2291076876
FORMER 03 | Baltasar Cevc wrote:
Hi everybody,
I'm planning to set up our new mail system using the Dovecot mailbox server. It mostly works fine yet (it's quite straigt forward to set up, I'd say), but there's a thing I haven't been able to find out yet. We provide POP3 access for all users, but want to restrict IMAP access to some of them (because IMAP users tend to leave more messages on the server, thus increasing storage needs).
[snip]
1 - storage is cheap - Costco sells a 1 TByte external drive for approx $US 300. That holds a LOT of e-mail. The 500 GByte is less than half that price. 2 - why not enforce quotas? I assume you could set quotas by user.
POP users could opt to keep a copy on the server, so that doesn't guarantee anything.
I prefer IMAP because then I can access the same mail from different clients computers...
Hi Russel,
On Sun, 05 Aug 2007 08:28:12 -0700 Don Russell russell.don@gmail.com wrote:
1 - storage is cheap - Costco sells a 1 TByte external drive for approx $US 300. That holds a LOT of e-mail. The 500 GByte is less than half that price. The problem is not storage as such. It's reliability of storage. For a good server, you need a hardware raid + backup, the latter being the real problem (mostly the time to make the backup, 1 TB would need quite some hours ;-)
2 - why not enforce quotas? I assume you could set quotas by user. We will have quotas, but they have to be realatively big (100 MB +), as we want that people are able to receive large messages. We don't mind the traffic.
POP users could opt to keep a copy on the server, so that doesn't guarantee anything. It does not guarantee, but the experience shows that using IMAP, people tend to archive the mails on the servers.
I prefer IMAP because then I can access the same mail from different clients computers...
Me too. But we need the possiblity to disable it for some users at the moment.
Baltsar
--
_____ FORMER 03 GmbH _____ infanteriestra§e 19 haus 6 eg _____ 80797 muenchen
_____ www.former03.de
FORMER 03 | Baltasar Cevc wrote:
Hi Russel,
On Sun, 05 Aug 2007 08:28:12 -0700 Don Russell russell.don@gmail.com wrote:
1 - storage is cheap - Costco sells a 1 TByte external drive for approx $US 300. That holds a LOT of e-mail. The 500 GByte is less than half that price.
The problem is not storage as such. It's reliability of storage. For a good server, you need a hardware raid + backup, the latter being the real problem (mostly the time to make the backup, 1 TB would need quite some hours ;-)
Presumably you would not accumulate 1 TByte of data before your first backup.... using incremental back up would alleviate the time problem.
So what I'm hearing is you will back up the mail on the server, but the mail retrieved by POP3 is the user's responsibility... i.e. it won't get backed up.
So you want to restrict IMAP use to only those users who need their mail backed up. ;-)
Not sure what your situation is, but in the USA laws are underway for requiring corporations to keep ALL e-mail ... not sure what the state of those laws are.... maybe they won't materialize.... but obviously people are thinking along those lines...
Based on your e-mail address, I assume you are not subject to US laws etc... but I think it's a "sign" of things to come in the corporate world.
Anyway, I've taken this a bit off track... I do not know exactly how to implement what you asked for.... POP3 for some, IMAP for others. :-(
Off the top of my head.... since both of those protocols need authentication.... it ought to be possible to define credentials on a per-user basis so IMAP is successful only for some users. I would research IMAP authentication methods... you want the password file (database, whatever) to contain only a subset of the system users.... shouldn't be too difficult, just a bit of "double entry" when adding new users to te system.
On Sun, Aug 05, 2007 at 09:53:52AM -0700, Don Russell wrote:
Not sure what your situation is, but in the USA laws are underway for requiring corporations to keep ALL e-mail ... not sure what the state of those laws are.... maybe they won't materialize.... but obviously people are thinking along those lines...
Based on your e-mail address, I assume you are not subject to US laws etc... but I think it's a "sign" of things to come in the corporate world.
Some possible future law in some silly country has nothing to do with Baltasar's original technical question, which is completely legitimate; offering POP3 access to all and IMAP only to some.
Baltasar:
You could use different passdb's under pop3 and imap, using the allow_nets extra field: http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
You would allow pop3 access to all, imap access to some from any IP and to others only from the webmail server(s) IP('s).
GeertHi Geert,
On Sun, 5 Aug 2007 19:54:03 +0200 Geert Hendrickx ghen@telenet.be wrote:
Baltasar:
You could use different passdb's under pop3 and imap, using the allow_nets extra field: http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
You would allow pop3 access to all, imap access to some from any IP and to others only from the webmail server(s) IP('s).
Geert
Thanx for the hint. I use SQL so I can catch something in the query. But I'm not sure on how I can provide two IMAP services in one Dovecot system. (See my other mail for details).
Baltasar
_____ FORMER 03 GmbH _____ infanteriestra§e 19 haus 6 eg _____ 80797 muenchen
_____ www.former03.de
At 8:28 AM -0700 8/5/07, Don Russell imposed structure on a stream of electrons, yielding:
FORMER 03 | Baltasar Cevc wrote:
Hi everybody,
I'm planning to set up our new mail system using the Dovecot mailbox server. It mostly works fine yet (it's quite straigt forward to set up, I'd say), but there's a thing I haven't been able to find out yet. We provide POP3 access for all users, but want to restrict IMAP access to some of them (because IMAP users tend to leave more messages on the server, thus increasing storage needs).
[snip]
1 - storage is cheap - Costco sells a 1 TByte external drive for approx $US 300. That holds a LOT of e-mail. The 500 GByte is less than half that price.
Storage in most business environments costs a lot more than the price of consumer-grade disks. Physical disks are a minor component of the true cost of providing storage in an available, reliable, maintainable, restorable, flexible, and auditable manner.
2 - why not enforce quotas? I assume you could set quotas by user.
Quotas are an administrative hassle even when they work technically. In many places they also are a poor proxy for the real policy need of retaining (and removing) mail based on age.
POP users could opt to keep a copy on the server, so that doesn't guarantee anything.
There are sites which handle that through policy which they enforce automatically and the use of Maildir. With Maildir, a script that removes messages once they've been retrieved and/or are older than a certain age is a pretty simple and efficient matter.
I prefer IMAP because then I can access the same mail from different clients computers...
IMAP certainly provides more flexibility for users, but sometimes that flexibility is not needed or is specifically unwanted.
--
Bill Cole
bill@scconsult.com
On Sun, 2007-08-05 at 12:41 +0200, FORMER 03 | Baltasar Cevc wrote:
Is there any possibility to achieve what I need without having two completely separated instances of Dovecot running?
It depends on what passdb you want to use. SQL would be simple. CheckPassword script would be possible. Others might, or might not.
Hi Timo!
On Sun, 05 Aug 2007 20:02:28 +0300 Timo Sirainen tss@iki.fi wrote:
On Sun, 2007-08-05 at 12:41 +0200, FORMER 03 | Baltasar Cevc wrote:
Is there any possibility to achieve what I need without having two completely separated instances of Dovecot running?
It depends on what passdb you want to use. SQL would be simple. CheckPassword script would be possible. Others might, or might not.
I authenticate against a MySQL database. What I've figured out is how to disable IMAP - I do it using the following line in dovecot-sql.conf (I use prefetch, so that's the only query done):
password_query = SELECT username AS user, password_enc AS password FROM
mail_users WHERE username = '%u' AND ( (IF('%a'='143', imap,'0'))='Y'
OR (IF('%a '='110', pop3, '0') = 'Y') OR 1 )
But I'd need some possibility to have two different IMAP listeners (e.g. one on port 144 for webmail) or something similar, as I currently disallow webmail (which connects to localhost via IMAP), too.
By the way: Thanx for the hints!
Baltasar
_____ FORMER 03 GmbH _____ infanteriestra§e 19 haus 6 eg _____ 80797 muenchen
_____ www.former03.de
FORMER 03 | Baltasar Cevc escribió:
Hi Timo!
On Sun, 05 Aug 2007 20:02:28 +0300 Timo Sirainen tss@iki.fi wrote:
On Sun, 2007-08-05 at 12:41 +0200, FORMER 03 | Baltasar Cevc wrote:
Is there any possibility to achieve what I need without having two completely separated instances of Dovecot running? It depends on what passdb you want to use. SQL would be simple. CheckPassword script would be possible. Others might, or might not.
I authenticate against a MySQL database. What I've figured out is how to disable IMAP - I do it using the following line in dovecot-sql.conf (I use prefetch, so that's the only query done):
password_query = SELECT username AS user, password_enc AS password FROM mail_users WHERE username = '%u' AND ( (IF('%a'='143',
imap,'0'))='Y' OR (IF('%a '='110',pop3, '0') = 'Y') OR 1 )But I'd need some possibility to have two different IMAP listeners (e.g. one on port 144 for webmail) or something similar, as I currently disallow webmail (which connects to localhost via IMAP), too.
Test for %s instead of %a and use %r to allow your web server (or %l as it connects to localhost). It just SQL-foo :)
For a full list of available variables: http://wiki.dovecot.org/Variables
-- Angel Marin http://anmar.eu.org/
On Sun, Aug 05, 2007 at 10:20:02PM +0200, FORMER 03|Baltasar Cevc wrote:
But I'd need some possibility to have two different IMAP listeners (e.g. one on port 144 for webmail) or something similar, as I currently disallow webmail (which connects to localhost via IMAP), too.
You just need to accept IMAP from any IP for some, from localhost only for others, and from nowhere for the rest. No need for different ports. You just need one additional column in the database (with 'pop3'/'imap'/ 'webmail' or however you'd like to encode it) and then construct the right SQL-queries, see Angel Marin's hints for that.
GeertOn Sun, 2007-08-05 at 22:20 +0200, FORMER 03 | Baltasar Cevc wrote:
password_query = SELECT username AS user, password_enc AS password FROM mail_users WHERE username = '%u' AND ( (IF('%a'='143',
imap,'0'))='Y' OR (IF('%a '='110',pop3, '0') = 'Y') OR 1 )
Instead of ports it would be better to use %Ls which expands to "imap" or "pop3".
But I'd need some possibility to have two different IMAP listeners (e.g. one on port 144 for webmail) or something similar, as I currently disallow webmail (which connects to localhost via IMAP), too.
or '%r' = '127.0.0.1'
Hi Timo,
On Mon, 06 Aug 2007 15:00:05 +0300 Timo Sirainen tss@iki.fi wrote:
On Sun, 2007-08-05 at 22:20 +0200, FORMER 03 | Baltasar Cevc wrote:
password_query = SELECT username AS user, password_enc AS password FROM mail_users WHERE username = '%u' AND ( (IF('%a'='143',
imap,'0'))='Y' OR (IF('%a '='110',pop3, '0') = 'Y') OR 1 )Instead of ports it would be better to use %Ls which expands to "imap" or "pop3". I had that before, but due to the setup I use (Linux Vserver), it would be a bit nicer to bind it to different ports instead of different IPs (localhost maps to the IP of the system in the setup, so I need to setup two IPs). But any working solution will do...
But I'd need some possibility to have two different IMAP listeners (e.g. one on port 144 for webmail) or something similar, as I currently disallow webmail (which connects to localhost via IMAP), too.
or '%r' = '127.0.0.1' That's what I've overseen. This will solve the "problem". Thanx a lot, Baltasar
--
_____ FORMER 03 GmbH _____ infanteriestra§e 19 haus 6 eg _____ 80797 muenchen
_____ www.former03.de
participants (6)
-
Angel Marin
-
Bill Cole
-
Don Russell
-
FORMER 03 | Baltasar Cevc
-
Geert Hendrickx
-
Timo Sirainen