RE: Forcing imap authentication failure for certain IP addresses
One way is to use https://doc.dovecot.org/configuration_manual/authentication/auth_policy/or you can use passdb { driver = passwd-file deny = yes args = username_formar=%{rip} /etc/dovecot/deny.ip}or you can use https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen... write this in Lua.Aki -------- Original message --------From: Hippo Man hippoman@gmail.com Date: 8/1/23 18:14 (GMT+02:00) To: dovecot@dovecot.org Subject: Forcing imap authentication failure for certain IP addresses I'm running dovecot 2.3.18 under Debian 11.I want to do something that's a bit unusual: when IMAP connections are attemptedfrom a few specific IP addresses, I want to force an IMAP authentication failurefrom those connections, no matter what user ID and password are specified.I know that I can use iptables to completely block imap access from those IPaddresses to the IMAP ports. However, in these specific cases, I'd prefer thatthe connection goes through to dovecot, but for dovecot then to always generateauthentication failures for those specific connections ... even if a validuser ID and password happen to be specified.Is there a way to do this in dovecot?Thank you very much in advance.-- hippoman@gmail.com Take a hippopotamus to lunch today. .---------, 0__0 / ( oo'---, / oo\ ,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'
Thank you very much!
In your example, what would be the contents of the /etc/dovecot/deny.ip file?
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---,
/ oo
,\ |
| \ ,=__/
\ /
/ /------| /|
|__|-' |__|'
On Tue, Aug 1, 2023 at 11:44 AM aki.tuomi via dovecot dovecot@dovecot.org wrote:
One way is to use https://doc.dovecot.org/configuration_manual/authentication/auth_policy/
or you can use
passdb { driver = passwd-file deny = yes args = username_formar=%{rip} /etc/dovecot/deny.ip }
or you can use https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...
and write this in Lua.
Aki
-------- Original message -------- From: Hippo Man hippoman@gmail.com Date: 8/1/23 18:14 (GMT+02:00) To: dovecot@dovecot.org Subject: Forcing imap authentication failure for certain IP addresses
I'm running dovecot 2.3.18 under Debian 11.
I want to do something that's a bit unusual: when IMAP connections are attempted from a few specific IP addresses, I want to force an IMAP authentication failure from those connections, no matter what user ID and password are specified.
I know that I can use iptables to completely block imap access from those IP addresses to the IMAP ports. However, in these specific cases, I'd prefer that the connection goes through to dovecot, but for dovecot then to always generate authentication failures for those specific connections ... even if a valid user ID and password happen to be specified.
Is there a way to do this in dovecot?
Thank you very much in advance.
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---, / oo
,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
1.2.3.4::::::::: nopasswordI think. Didn't have a chance to test it.Aki -------- Original message --------From: Hippo Man hippoman@gmail.com Date: 8/1/23 19:03 (GMT+02:00) To: "aki.tuomi" aki.tuomi@open-xchange.com Cc: dovecot@dovecot.org Subject: Re: Forcing imap authentication failure for certain IP addresses Thank you very much!In your example, what would be the contents of the/etc/dovecot/deny.ip file?-- hippoman@gmail.com Take a hippopotamus to lunch today. .---------, 0__0 / ( oo'---, / oo\ ,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'On Tue, Aug 1, 2023 at 11:44 AM aki.tuomi via dovecot dovecot@dovecot.org wrote:One way is to use https://doc.dovecot.org/configuration_manual/authentication/auth_policy/or you can use passdb { driver = passwd-file deny = yes args = username_formar=%{rip} /etc/dovecot/deny.ip}or you can use https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen... write this in Lua.Aki-------- Original message --------From: Hippo Man hippoman@gmail.com Date: 8/1/23 18:14 (GMT+02:00) To: dovecot@dovecot.org Subject: Forcing imap authentication failure for certain IP addresses I'm running dovecot 2.3.18 under Debian 11.I want to do something that's a bit unusual: when IMAP connections are attemptedfrom a few specific IP addresses, I want to force an IMAP authentication failurefrom those connections, no matter what user ID and password are specified.I know that I can use iptables to completely block imap access from those IPaddresses to the IMAP ports. However, in these specific cases, I'd prefer thatthe connection goes through to dovecot, but for dovecot then to always generateauthentication failures for those specific connections ... even if a validuser ID and password happen to be specified.Is there a way to do this in dovecot?Thank you very much in advance.-- hippoman@gmail.com Take a hippopotamus to lunch today. .---------, 0__0 / ( oo'---, / oo\ ,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Oh, OK. I'll investigate and test it. Thank you!
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---,
/ oo
,\ |
| \ ,=__/
\ /
/ /------| /|
|__|-' |__|'
On Tue, Aug 1, 2023 at 12:24 PM aki.tuomi via dovecot dovecot@dovecot.org wrote:
1.2.3.4::::::::: nopassword
I think. Didn't have a chance to test it.
Aki
-------- Original message -------- From: Hippo Man hippoman@gmail.com Date: 8/1/23 19:03 (GMT+02:00) To: "aki.tuomi" aki.tuomi@open-xchange.com Cc: dovecot@dovecot.org Subject: Re: Forcing imap authentication failure for certain IP addresses
Thank you very much!
In your example, what would be the contents of the /etc/dovecot/deny.ip file?
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---, / oo
,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'On Tue, Aug 1, 2023 at 11:44 AM aki.tuomi via dovecot dovecot@dovecot.org wrote:
One way is to use https://doc.dovecot.org/configuration_manual/authentication/auth_policy/
or you can use
passdb { driver = passwd-file deny = yes args = username_formar=%{rip} /etc/dovecot/deny.ip }
or you can use https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...
and write this in Lua.
Aki
-------- Original message -------- From: Hippo Man hippoman@gmail.com Date: 8/1/23 18:14 (GMT+02:00) To: dovecot@dovecot.org Subject: Forcing imap authentication failure for certain IP addresses
I'm running dovecot 2.3.18 under Debian 11.
I want to do something that's a bit unusual: when IMAP connections are attempted from a few specific IP addresses, I want to force an IMAP authentication failure from those connections, no matter what user ID and password are specified.
I know that I can use iptables to completely block imap access from those IP addresses to the IMAP ports. However, in these specific cases, I'd prefer that the connection goes through to dovecot, but for dovecot then to always generate authentication failures for those specific connections ... even if a valid user ID and password happen to be specified.
Is there a way to do this in dovecot?
Thank you very much in advance.
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---, / oo
,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
This method indeed seems to work ... thank you again!
In summary, I did this:
passdb { driver = passwd-file deny = yes args = username_format=%{rip} /etc/dovecot/deny.ip }
... and the "deny.ip" file looks like this:
1.2.3.4:::::::: nopassword 5.6.7.8:::::::: nopassword
One further question: whenever I add additional lines to the "deny.ip" file, will I need to restart dovecot, or will dovecot always read the latest version of that file whenever it is validating a new IMAP connection?
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---,
/ oo
,\ |
| \ ,=__/
\ /
/ /------| /|
|__|-' |__|'
On Tue, Aug 1, 2023 at 12:44 PM Hippo Man hippoman@gmail.com wrote:
Oh, OK. I'll investigate and test it. Thank you!
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---, / oo
,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'On Tue, Aug 1, 2023 at 12:24 PM aki.tuomi via dovecot dovecot@dovecot.org wrote:
1.2.3.4::::::::: nopassword
I think. Didn't have a chance to test it.
Aki
-------- Original message -------- From: Hippo Man hippoman@gmail.com Date: 8/1/23 19:03 (GMT+02:00) To: "aki.tuomi" aki.tuomi@open-xchange.com Cc: dovecot@dovecot.org Subject: Re: Forcing imap authentication failure for certain IP addresses
Thank you very much!
In your example, what would be the contents of the /etc/dovecot/deny.ip file?
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---, / oo
,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'On Tue, Aug 1, 2023 at 11:44 AM aki.tuomi via dovecot < dovecot@dovecot.org> wrote:
One way is to use https://doc.dovecot.org/configuration_manual/authentication/auth_policy/
or you can use
passdb { driver = passwd-file deny = yes args = username_formar=%{rip} /etc/dovecot/deny.ip }
or you can use https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...
and write this in Lua.
Aki
-------- Original message -------- From: Hippo Man hippoman@gmail.com Date: 8/1/23 18:14 (GMT+02:00) To: dovecot@dovecot.org Subject: Forcing imap authentication failure for certain IP addresses
I'm running dovecot 2.3.18 under Debian 11.
I want to do something that's a bit unusual: when IMAP connections are attempted from a few specific IP addresses, I want to force an IMAP authentication failure from those connections, no matter what user ID and password are specified.
I know that I can use iptables to completely block imap access from those IP addresses to the IMAP ports. However, in these specific cases, I'd prefer that the connection goes through to dovecot, but for dovecot then to always generate authentication failures for those specific connections ... even if a valid user ID and password happen to be specified.
Is there a way to do this in dovecot?
Thank you very much in advance.
-- hippoman@gmail.com Take a hippopotamus to lunch today.
.---------, 0__0/ ( oo'---, / oo
,\ | | \ ,=__/ \ / / /------| /| |__|-' |__|'
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Aki Tuomi
-
aki.tuomi
-
Hippo Man