[Dovecot] Limiting Dovecot access by user-spesific ip addresses?
Hi,
Is there any possibility to limit access to mailboxes by user-spesific ip addresses?
So, I'd like to have a configuration which by default restricts reading emails to company's own ip-address range. So far, this could be achieved by a basic firewall rule, but not any more the following:
However, there is need for a few users to access their emails from world-wide internet, so there should be a possibility to define for certain users an option to skip the allowed address range check.
Regards, Timo
On Mar 11, 2006, at 12:56 PM, Timo Neuvonen wrote:
Is there any possibility to limit access to mailboxes by user- spesific ip addresses?
Yes, but I added it only a while ago so it's still only in CVS. Also
you'll need a userdb which allows you to specify "extra options", eg.
passwd-file, sql, ldap. Syntax is eg.:
allow_nets=192.168.0.0/16,127.0.0.0/8
Is there any possibility to limit access to mailboxes by user-spesific ip addresses?
Yes, but I added it only a while ago so it's still only in CVS. Also you'll need a userdb which allows you to specify "extra options", eg. passwd-file, sql, ldap. Syntax is eg.:
allow_nets=192.168.0.0/16,127.0.0.0/8
Thanks,
maybe I'll wait for a while if it happened to find its way into FC5's standard dovecot rpms... Meanwhile I could try investigating how to use userdb for other purposes... userdb in general is still an undiscovered area for me.
-- TiN
If your users are stored in MySQL, couldn't a variable be added to the dovecot-sql.conf section to do something like "user_query = SELECT home, uid, gid FROM users WHERE userid = '%u' and ip='%ip'"? I realize the %ip would have to be added, but that should be an easy addition. Then you can just put an ip range or single ip in the MySQL table from which the user is allowed to authenticate.
Tom
Timo Neuvonen wrote:
Hi,
Is there any possibility to limit access to mailboxes by user-spesific ip addresses?
So, I'd like to have a configuration which by default restricts reading emails to company's own ip-address range. So far, this could be achieved by a basic firewall rule, but not any more the following:
However, there is need for a few users to access their emails from world-wide internet, so there should be a possibility to define for certain users an option to skip the allowed address range check.
Regards, Timo
On Sat, 2006-03-11 at 10:15 -0500, Bob Hope wrote:
If your users are stored in MySQL, couldn't a variable be added to the dovecot-sql.conf section to do something like "user_query = SELECT home, uid, gid FROM users WHERE userid = '%u' and ip='%ip'"? I realize the %ip would have to be added, but that should be an easy addition. Then you can just put an ip range or single ip in the MySQL table from which the user is allowed to authenticate.
There's already %R for the %ip.
participants (3)
-
Bob Hope
-
Timo Neuvonen
-
Timo Sirainen