Dovecot multiple passdb and fail2ban
Objective: different password for remote and local imap login
Version: 2.2.36 (1f10bfa63) on CentOS 7 Users are from Active Directory, mapped to local users via sssd
After much experimentation, I have configured this way: doveconf -n passdb userdb passdb { args = username_format=%Ln /etc/dovecot/remote driver = passwd-file skip = authenticated username_filter = user01 user02 } passdb { driver = pam override_fields = allow_nets=127.0.0.0/8,192.168.1.0/24 skip = authenticated } userdb { driver = passwd }
If I put the passdb's in the reverse order, I would get failure messages (when logging in remotely) in /var/log/secure, such as: auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user02 rhost=xx.xx.xx.xx user=user02 Which caused fail2ban to ban that ip
/etc/fail2ban/jail.local [dovecot] enabled = true port = imap,imaps
If I set "auth_verbose = yes", then I can see messages in (when logging in locally) in /var/log/maillog dovecot: auth: passwd-file(user02,192.168.1.20,<Na/7f8WJC8HAqAEU>): Password mismatch which is probably not a big deal... but seems inefficient?
Question: is there a more elegant way to use different passdb depending on ip?
Thanks in advance.
participants (1)
-
Joaquin F