[Dovecot] 1.0alpha2: how to reject specific users?
Hi, In Qualcomm's qpopper, you can specify a list of users to reject at authentication, even if they are otherwise valid, by putting them in a file (/etc/pop.nonauth). I use this to occasionally ban users who bang on the system needlessly until they Get a Clue. I looked thru the wiki.dovecot.org/Authentication pages and didn't see anything like this feature. Does it exist in 1.0?
BTW, running 1.0alpha2 in production since Sunday night, working great. Zero core dumps, only minor chatter about "Corrupted index cache file" in the syslog, no problems.
Jeff Earickson Colby College
On gio 15 set, Jeff A. Earickson wrote:
Hi, In Qualcomm's qpopper, you can specify a list of users to reject at authentication, even if they are otherwise valid, by putting them in a file (/etc/pop.nonauth). I use this to occasionally ban users who bang on the system needlessly until they Get a Clue. I looked thru the wiki.dovecot.org/Authentication pages and didn't see anything like this feature. Does it exist in 1.0?
I have tried this:
/etc/dovecot.conf: auth default { mechanisms = plain
userdb passwd-file {
args = /etc/dovecot-noauth
}
# Other auth methods
.../etc/dovecot-noauth: luser1:*:42:42:luser1,,,:/dev/null:/bin/false luser2:*:42:42:luser2,,,:/dev/null:/bin/false
IWFM.
-- ciao, debe
On Thu, 15 Sep 2005, Marco De Benedetto wrote:
Date: Thu, 15 Sep 2005 18:24:34 +0200 From: Marco De Benedetto debe@galliera.it To: dovecot@dovecot.org Subject: Re: [Dovecot] 1.0alpha2: how to reject specific users?
On gio 15 set, Jeff A. Earickson wrote:
Hi, In Qualcomm's qpopper, you can specify a list of users to reject at authentication, even if they are otherwise valid, by putting them in a file (/etc/pop.nonauth). I use this to occasionally ban users who bang on the system needlessly until they Get a Clue. I looked thru the wiki.dovecot.org/Authentication pages and didn't see anything like this feature. Does it exist in 1.0?
I have tried this:
/etc/dovecot.conf: auth default { mechanisms = plain
userdb passwd-file { args = /etc/dovecot-noauth } # Other auth methods .../etc/dovecot-noauth: luser1:*:42:42:luser1,,,:/dev/null:/bin/false luser2:*:42:42:luser2,,,:/dev/null:/bin/false
Per your advice, I set my dovecot.conf file up as:
auth default { mechanisms = plain passdb passwd-file { args = /etc/dovecot.nonauth } passdb pam { }
and added my test user to /etc/dovecot.nonauth like above. He connected to IMAP with no problem, not what I want. The default authentication method is PAM for everybody. Any other suggestions?? My setup: 1.0alpha2, Solaris 9 using PAM, imap and imaps, mbox format.
Jeff Earickson Colby College
On gio 15 set, Jeff A. Earickson wrote:
Per your advice, I set my dovecot.conf file up as:
auth default { mechanisms = plain passdb passwd-file { args = /etc/dovecot.nonauth } passdb pam { }
and added my test user to /etc/dovecot.nonauth like above. He connected to IMAP with no problem, not what I want. The default authentication method is PAM for everybody. Any other suggestions?? My setup: 1.0alpha2, Solaris 9 using PAM, imap and imaps, mbox format.
1.0alpha2, Debian, using PAM and I get this error:
Sep 15 21:07:11 localhost dovecot: chdir(/dev/null) failed with uid 42: Not a directory 21:28:14
Anyway I don't like this so much.
Maybe using PAM is a cleaner solution:
/etc/pam.d/dovecot:
...
auth required pam_listfile.so onerr=succeed item=user sense=deny
file=/etc/dovecot.noauth
...
/etc/dovecot.noauth: luser1 luser2 ...
-- ciao, debe
Hi, I asked last week about an auth mechanism in 1.0alpha2 to reject specific userids or uids from authentication. Marco De Benedetto kindly suggested using passdb passwd-file for a rejection list. That didn't work and the Wiki for authentication makes it clear why: the multiple databases use OR for success instead of AND. So my test user failed with passdb passwd-file but succeeded with PAM, so he got in.
Any chance of having a "passdb deny" feature, whereby any userid or uid that appears there will be rejected without further authentication tests? Something like:
auth default { passdb deny { # path of file listing denied uids or userids args = /etc/dovecot.nonauth } passdb pam { (etc) }
Jeff Earickson Colby College
On Mon, 2005-09-19 at 11:38 -0400, Jeff A. Earickson wrote:
auth default { passdb deny { # path of file listing denied uids or userids args = /etc/dovecot.nonauth } passdb pam { (etc) }
Added to CVS:
# Users can be temporarily disabled by adding a passdb with deny=yes. # If the user is found from that database, authentication will fail. # The deny passdb should always be specified before others, so it gets # checked first. Here's an example: #passdb passwd-file { # File contains a list of usernames, one per line #args = /etc/dovecot.deny #deny = yes #}
Thank you, thank you. I'll be looking forward to testing this in alpha4. I may try to download the CVS and test it on another non-production machine.
Jeff Earickson Colby College
On Sat, 24 Sep 2005, Timo Sirainen wrote:
Date: Sat, 24 Sep 2005 15:57:24 +0300 From: Timo Sirainen tss@iki.fi To: Jeff A. Earickson jaearick@colby.edu Cc: dovecot@dovecot.org Subject: Re: [Dovecot] 1.0alpha2: "passdb deny" feature request
On Mon, 2005-09-19 at 11:38 -0400, Jeff A. Earickson wrote:
auth default { passdb deny { # path of file listing denied uids or userids args = /etc/dovecot.nonauth } passdb pam { (etc) }
Added to CVS:
# Users can be temporarily disabled by adding a passdb with deny=yes. # If the user is found from that database, authentication will fail. # The deny passdb should always be specified before others, so it gets # checked first. Here's an example: #passdb passwd-file { # File contains a list of usernames, one per line #args = /etc/dovecot.deny #deny = yes #}
Timo, I tried this in alpha4 and it is just what I wanted. Thanks.
Jeff Earickson Colby College
On Sat, 24 Sep 2005, Timo Sirainen wrote:
Date: Sat, 24 Sep 2005 15:57:24 +0300 From: Timo Sirainen tss@iki.fi To: Jeff A. Earickson jaearick@colby.edu Cc: dovecot@dovecot.org Subject: Re: [Dovecot] 1.0alpha2: "passdb deny" feature request
On Mon, 2005-09-19 at 11:38 -0400, Jeff A. Earickson wrote:
auth default { passdb deny { # path of file listing denied uids or userids args = /etc/dovecot.nonauth } passdb pam { (etc) }
Added to CVS:
# Users can be temporarily disabled by adding a passdb with deny=yes. # If the user is found from that database, authentication will fail. # The deny passdb should always be specified before others, so it gets # checked first. Here's an example: #passdb passwd-file { # File contains a list of usernames, one per line #args = /etc/dovecot.deny #deny = yes #}
participants (3)
-
Jeff A. Earickson
-
Marco De Benedetto
-
Timo Sirainen