"j.emerlik" j.emerlik@gmail.com writes:
I would like to prepare postlogin a script that allow imap connection to roundcube for all but restrict imap access for selected users.
"from" roundcube?
Is possible in condition IF use IP addresses as range or with mask (because I've more than one web servers) ?
Of course -- many ways to skin this cat.
If you have only a handful of IPs
case "$IP" in
12.34.56.78) exec "$@";;
23.45.67.89) exec "$@";;
...
esacIf you have CIDR that align neatly on octet boundaries
case "$IP" in
12.34.56.*) exec "$@";;
23.45.67.*) exec "$@";;
...
esacThe toughest situation (using script techniques) is for CIDR ranges just shy of a full octet boundary e.g. /25. You can use "cut -d .", "IFS=." or "expr" to break the IP into octets, then test the components. e.g. 12.34.56.0/25
# Example 1
PART1=`echo $IP | cut -d. -f1,2,3`
PART2=`echo $IP | cut -d. -f4`
[ "$PART1" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && exec "$@"
# Example 2
PART2=`expr "$IP" : '.*\.\([0-9]*\)'
expr "$IP" : "12.34.56." && [ "$PART2" -ge 0 -a "$PART2" -le 127 ] && exec "$@"
# Example 3 (dodgy, I haven't fully thought this through)
`echo "$IP" | { IFS=. read a b c PART2; [ "$a.$b.$c" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && echo "exec $@"; }`If you have a busy IMAP server, you'll probably want to use Aki's passdb solution instead, rather than incurring the execution overhead for each and every authentication.
Joseph Tam jtam.home@gmail.com
On 11/10/2017 11:03 PM, Joseph Tam wrote:
The toughest situation (using script techniques) is for CIDR ranges just shy of a full octet boundary e.g. /25.
Actually there is a great tool for that, grepcidr
$ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK 10.11.12.127 OK $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK $
But in your case you really probably should use postgres for the userdb and just return everything from there in user fields / extra fields, and if the logic doesn't fit in a simple query you can put it in a stored procedure. That will likely be more efficient.
Awesome, thanks!
Sent from my mobile device please excuse.
11.11.2017 2:48 PM "Gedalya" gedalya@gedalya.net napisał(a):
On 11/10/2017 11:03 PM, Joseph Tam wrote:
The toughest situation (using script techniques) is for CIDR ranges just shy of a full octet boundary e.g. /25.
Actually there is a great tool for that, grepcidr
$ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK 10.11.12.127 OK $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK $
But in your case you really probably should use postgres for the userdb and just return everything from there in user fields / extra fields, and if the logic doesn't fit in a simple query you can put it in a stored procedure. That will likely be more efficient.
I would still recommend using allow_nets instead. It will perform better, and can deal with multiple networks etc.
Aki
On November 11, 2017 at 4:27 PM "j.emerlik" j.emerlik@gmail.com wrote:
Awesome, thanks!
Sent from my mobile device please excuse.
11.11.2017 2:48 PM "Gedalya" gedalya@gedalya.net napisał(a):
On 11/10/2017 11:03 PM, Joseph Tam wrote:
The toughest situation (using script techniques) is for CIDR ranges just shy of a full octet boundary e.g. /25.
Actually there is a great tool for that, grepcidr
$ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK 10.11.12.127 OK $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK $
But in your case you really probably should use postgres for the userdb and just return everything from there in user fields / extra fields, and if the logic doesn't fit in a simple query you can put it in a stored procedure. That will likely be more efficient.
Great, thanks!
Sent from my mobile device please excuse.
11.11.2017 6:00 PM "Aki Tuomi" aki.tuomi@dovecot.fi napisał(a):
I would still recommend using allow_nets instead. It will perform better, and can deal with multiple networks etc.
Aki
On November 11, 2017 at 4:27 PM "j.emerlik" j.emerlik@gmail.com wrote:
Awesome, thanks!
Sent from my mobile device please excuse.
11.11.2017 2:48 PM "Gedalya" gedalya@gedalya.net napisał(a):
On 11/10/2017 11:03 PM, Joseph Tam wrote:
The toughest situation (using script techniques) is for CIDR ranges just shy of a full octet boundary e.g. /25.
Actually there is a great tool for that, grepcidr
$ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK 10.11.12.127 OK $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK $
But in your case you really probably should use postgres for the userdb and just return everything from there in user fields / extra fields, and if the logic doesn't fit in a simple query you can put it in a stored procedure. That will likely be more efficient.
I finally used it like this:
case $IP in 10.120.12[0-7].*) exec "$@" ;; 111.111.11.4[0-9]) exec "$@" ;; esac
Thanks a lot
Regards, Jacek
case $IP in
10.120.12[0-7].*) exec "$@" ;;
195.150.13.4[0-9]) exec "$@" ;;esac
2017-11-10 23:03 GMT+01:00 Joseph Tam jtam.home@gmail.com:
"j.emerlik" j.emerlik@gmail.com writes:
I would like to prepare postlogin a script that allow imap connection to
roundcube for all but restrict imap access for selected users.
"from" roundcube?
Is possible in condition IF use IP addresses as range or with mask (because
I've more than one web servers) ?
Of course -- many ways to skin this cat.
If you have only a handful of IPs
case "$IP" in 12.34.56.78) exec "$@";; 23.45.67.89) exec "$@";; ... esacIf you have CIDR that align neatly on octet boundaries
case "$IP" in 12.34.56.*) exec "$@";; 23.45.67.*) exec "$@";; ... esacThe toughest situation (using script techniques) is for CIDR ranges just shy of a full octet boundary e.g. /25. You can use "cut -d .", "IFS=." or "expr" to break the IP into octets, then test the components. e.g. 12.34.56.0/25
# Example 1 PART1=`echo $IP | cut -d. -f1,2,3` PART2=`echo $IP | cut -d. -f4` [ "$PART1" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] &&exec "$@"
# Example 2 PART2=`expr "$IP" : '.*\.\([0-9]*\)' expr "$IP" : "12.34.56." && [ "$PART2" -ge 0 -a "$PART2" -le 127 ]&& exec "$@"
# Example 3 (dodgy, I haven't fully thought this through) `echo "$IP" | { IFS=. read a b c PART2; [ "$a.$b.$c" = "12.34.56"-a "$PART2" -ge 0 -a "$PART2" -le 127 ] && echo "exec $@"; }`
If you have a busy IMAP server, you'll probably want to use Aki's passdb solution instead, rather than incurring the execution overhead for each and every authentication.
Joseph Tam jtam.home@gmail.com
participants (4)
-
Aki Tuomi
-
Gedalya
-
j.emerlik
-
Joseph Tam