[Dovecot] about postlogin in dovecot2
Hello I use dovecot2 on vpopmail,qmail. i want to use login-intranet-imap.sh in order to restrict by emailaddress and ip address. i read it at http://wiki2.dovecot.org/PostLoginScripting. But there is an expression "mail_executable" in conf. but there is no such thing in dovecot2. what is equivalent of it for dovecot2 ?
-- View this message in context: http://old.nabble.com/about-postlogin-in-dovecot2-tp34275123p34275123.html Sent from the Dovecot mailing list archive at Nabble.com.
Bulend Mali wrote:
service imap { executable = imap imap-postlogin }
or
service pop3 { executable = pop3 pop3-postlogin }
I assume the exec "$@" in your login-intranet-imap.sh is there to execute the imap binary (or call it "mail executable") which handles the protocol traffic after your post-login script has done its work and granted access to the user.
If you would like to deny access, you should not execute the protocol handler, but simply exit 0, see "Denying connection from some IP/User" at http://wiki2.dovecot.org/PostLoginScripting
Regards Daniel
my 10-master.conf;
service pop3-login { inet_listener pop3 { }
service pop3 { executable = pop3 pop3-postlogin }
service pop3-postlogin { executable = script-login /usr/local/bin/postlogin_pop3.sh user = root unix_listener pop3-postlogin { } }
when i restart dovecot service. i get an error; Aug 11 00:48:27 pop3y dovecot: pop3-postlogin: Error: read: Illegal option -d Aug 11 00:39:56 pop3y dovecot: pop3-login: Login: user=<test@test.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=99386, secured, session=<dQhpL/DGawB/AAAB> Aug 11 00:39:56 pop3y dovecot: pop3(test@test.com): Post-login script denied access to user test@test.com Aug 11 00:39:56 pop3y dovecot: pop3-postlogin: Fatal: master: service(pop3-postlogin): child 99387 returned error 10
pop3y# ll /usr/local/bin/postlogin_pop3.sh -rwxr-xr-x 1 root wheel 5449 Aug 11 00:46 /usr/local/bin/postlogin_pop3.sh
i use freebsd8.2
View this message in context: http://old.nabble.com/about-postlogin-in-dovecot2-tp34275123p34284058.html Sent from the Dovecot mailing list archive at Nabble.com.
Bulend Mali wrote:
Seems like you are calling a command with argument -d in your script while the command does not recognize any argument -d.
Can you post your script "postlogin_pop3.sh" for review please?
Regards Daniel
i can manage read -d problem changing -p
what should be user rights of the postlogin_pop3.sh ? i use vpopmail
the pop3script;
#!/bin/sh
30-jul-2007
Author:
Oliver Schulze L.
Contact: http://tinymailto.com/oliver
Paraguay
INTRANET_NETS="127.0.0.1 10."
users that can login from the Internet
INTERNET_USERS="user1 user2 user3 user4 test@test.com"
DEBUG=0
variables setup by dovecot: IP USER
configure the dovecot binary to run based on the name of the script, so
this script can be used for imap and pop3 just by making a link
SCRIPT_BASE="postlogin" DOVECOT_EXEC="" if [ "$(basename $0)" = "${SCRIPT_BASE}_imap.sh" ] ; then DOVECOT_EXEC="/usr/local/libexec/dovecot/imap" elif [ "$(basename $0)" = "${SCRIPT_BASE}_pop3.sh" ] ; then DOVECOT_EXEC="/usr/local/libexec/dovecot/pop3" else MSG="Please edit the file $(basename $0) and change the SCRIPT_BASE variable" /usr/bin/logger "$MSG" # display a message to the user echo "* OK [ALERT] $MSG" # cancel the current imap request echo "* NO $MSG" exit 1 fi
debug
if [ $DEBUG -eq 1 ] ; then # TEST data DEBUG=1
# intranet test, any user can login
#IP=192.168.1.23
#USER=user222
# internet test, only user user2 can login
#IP=200.85.32.2
#USER=user2fi
if [ -z "$IP" ] ; then echo "$(basename $0): IP variable is empty" exit 2 fi if [ -z "$USER" ] ; then echo "$(basename $0): USER variable is empty" exit 3 fi
FLAGS
IN_INTRANET=0 INTERNET_ALLOWED=0 DOVECOT_ALLOW=0
Create this file in a RAM based directory in order to gain performance
FILE_TMP=$(mktemp /tmp/login-intranet-dovecot.tmp.XXXXXX)
check if the IP is from the Intranet
always use a tmp file in while in order to modify this script variables
echo "$INTRANET_NETS " > $FILE_TMP
cicle all intranets
while read -p ' ' net_intranet ; do net_grep=$(echo $net_intranet | sed -e 's/\./\\\./g') echo $IP | grep $net_grep 2>/dev/null 1>/dev/null RES=$?
if [ $DEBUG -eq 1 ] ; then
echo " net_intranet: $net_intranet -> RES: $RES"
fi
if [ $RES -eq 0 ] ; then
# the IP is from the intranet, stop processing and allowlogin IN_INTRANET=1 break fi done < $FILE_TMP
if the user is connecting from outside the intranet, check if it is
allowed
to do so
if [ $IN_INTRANET -eq 0 ] ; then # always use a tmp file in while echo "$INTERNET_USERS " > $FILE_TMP
# cicle all allowed internet users
while read -p ' ' user_inet ; do
if [ $DEBUG -eq 1 ] ; then
echo " $USER == $user_inet"
fi
if [ "$USER" = "$user_inet" ] ; then
# the user is conecting from the Internet and isallowed, stop # processing and allow login INTERNET_ALLOWED=1 break fi done < $FILE_TMP
fi
if [ $DEBUG -eq 1 ] ; then echo "IN_INTRANET : $IN_INTRANET" echo "INTERNET_ALLOWED: $INTERNET_ALLOWED" fi
delete temp file
rm -f $FILE_TMP
if [ $IN_INTRANET -eq 1 ] ; then # the user is conecting from the intranet DOVECOT_ALLOW=1 elif [ $IN_INTRANET -eq 0 ] && [ $INTERNET_ALLOWED -eq 1 ] ; then # the user is conecting from the internet and is an allowed internet user DOVECOT_ALLOW=1 fi
check if the user can login
if [ $DOVECOT_ALLOW -eq 1 ] ; then # the user can login, run the imap or pop3 server if [ $DEBUG -eq 1 ] ; then echo "exec $DOVECOT_EXEC" else # this script ends here exec $DOVECOT_EXEC fi else # user is not allowed to login, inform the user and system log
#MSG="El usuario '$USER' no puede conectarse desde Internet"
MSG="User '$USER' not allowed to connect from the Internet [$IP]"
/usr/bin/logger "$(basename $0): $MSG"
# display a message to the user
echo "* OK [ALERT] $MSG"
# cancel the current imap request
echo "* NO $MSG"
exit 10fi
exec $@
-- View this message in context: http://dovecot.2317879.n4.nabble.com/about-postlogin-in-dovecot2-tp5993p7786... Sent from the Dovecot mailing list archive at Nabble.com.
bmalik wrote:
i can manage read -d problem changing -p
You should not do that, since the semantics of -d and -p are completely different. Argument -d ' ' sets the delimiter for reading words to space, while -p enables password mode in order to disable input echo. By simply replacing -d with -p you will most probably break the functionality of the original script.
On freeBSD you're using a different default shell (sh) than the original author, so your "read" command provided by the shell behaves differently.
Install bash or some other compatible shell which supports read -d and try to replace the first line of the script with #!/bin/bash or the corresponding shell executable to use another shell for the execution of the script.
what should be user rights of the postlogin_pop3.sh?
The flags r (read) and x (execute) should be allowed for dovecot group, so that the mailserver can read and execute the script. Others do not need access to the script.
I've set permissions for the "post-login" script as follows: -rwxr-x--- root dovecot
Regards Daniel
I started to use bash in the script and changed read -d instead of -p. Also I get the script 's rights root:dovecot
I get an error;
-ERR pop3 binary must not be started from inetd, use pop3-login instead. Connection closed by foreign host. Aug 11 04:30:05 pop3y dovecot: pop3(test@test.com): Post-login script denied access to user test@test.com Aug 11 04:30:05 pop3y dovecot: pop3-postlogin: Fatal: master: service(pop3-postlogin): child 15837 returned error 1
-- View this message in context: http://dovecot.2317879.n4.nabble.com/about-postlogin-in-dovecot2-tp5993p2596... Sent from the Dovecot mailing list archive at Nabble.com.
is there another post-login script that i can use on freebsd ?
-- View this message in context: http://dovecot.2317879.n4.nabble.com/about-postlogin-in-dovecot2-tp5993p3703... Sent from the Dovecot mailing list archive at Nabble.com.
bmalik wrote:
is there another post-login script that i can use on freebsd ?
You can use virtually any executable for post-login if they communicate as expected.
First you should start simple and create a post-login script consisting of just a few lines which just covers the case of "access always granted to any user".
Once you got this working, you will be able to extend your script with the required denial features.
Why are you executing any $DOVECOT_EXEC anyways? The example scripts at http://wiki2.dovecot.org/PostLoginScripting are just doing a exec "$@" to exec chained scripts. It seems that dovecot already executes the service binary, which then communicates with the script-login process from "imap-postlogin" service via its "imap-postlogin" socket:
service imap {
tell imap to do post-login lookup using a socket called "imap-postlogin"
executable = imap imap-postlogin }
The service name below doesn't actually matter.
service imap-postlogin {
all post-login scripts are executed via script-login binary
executable = script-login /usr/local/bin/postlogin.sh
the script process runs as the user specified here (v2.0.14+):
user = $default_internal_user
this UNIX socket listener must use the same name as given to imap executable
unix_listener imap-postlogin { } }
Regards Daniel
Thank you I wrote a loginscript in bash. it works well. I can restrict a user by IP. Well , how can i restrict a particular email address by tcp port ? I want a particular mail address to be forced to use pop3s/imaps. I use vpopmail / dovecot2
-- View this message in context: http://dovecot.2317879.n4.nabble.com/about-postlogin-in-dovecot2-tp5993p3704... Sent from the Dovecot mailing list archive at Nabble.com.
bmalik wrote:
What's your doveconf -n output, please? Are you using SQL or LDAP for user lookup?
You probably should do the filtering already in your userdb/authdb lookup queries, since Variable %a or %{lport} which contains the local port is only available in Dovecot-Auth according to http://wiki2.dovecot.org/Variables
Regards Daniel
hello
how can i do a login script by tcp port ?
I use cdb database
my dovecot.conf -n;
doveconf -n
2.1.8: /usr/local/etc/dovecot/dovecot.conf
OS: FreeBSD 8.2-RELEASE amd64
auth_mechanisms = plain login digest-md5 cram-md5 apop disable_plaintext_auth = no first_valid_gid = 89 first_valid_uid = 89 last_valid_gid = 89 last_valid_uid = 89 login_greeting = Dovecot ready2. mail_gid = 89 mail_plugin_dir = /usr/lib/dovecot mail_uid = 89 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = webmail=127.0.0.1 driver = vpopmail } protocols = imap pop3 service pop3-postlogin { executable = script-login /usr/local/bin/postlogin_pop3.sh user = root } service pop3 { executable = pop3 pop3-postlogin } ssl = no userdb { args = quota_template=quota_rule=*:backend=%q driver = vpopmail } protocol imap { mail_max_userip_connections = 20 } protocol pop3 { mail_max_userip_connections = 20 }
-- View this message in context: http://dovecot.2317879.n4.nabble.com/about-postlogin-in-dovecot2-tp5993p3704... Sent from the Dovecot mailing list archive at Nabble.com.
On 2012-08-12 7:13 PM, Daniel Parthey <daniel.parthey@informatik.tu-chemnitz.de> wrote:
Or you could use something like:
http://wiki2.dovecot.org/Authentication/RestrictAccess
--
Best regards,
Charles
Ok
where do i have to locate the passwd-file in dovecot2
i use vpopmail and dovecot2.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/about-postlogin-in-dovecot2-tp5993p3705... Sent from the Dovecot mailing list archive at Nabble.com.
is there a solution ?
-- View this message in context: http://dovecot.2317879.n4.nabble.com/about-postlogin-in-dovecot2-tp5993p3707... Sent from the Dovecot mailing list archive at Nabble.com.
participants (4)
-
bmalik
-
Bulend Mali
-
Charles Marcus
-
Daniel Parthey