[Dovecot] Restricting IMAP access
Hi list,
I have a setup with postfix+dovecot+mysql unser CentOS 5, running 50 odd domains with virtual users. Access is allowed for public POP3, and a webmail on apache+PHP solution through local IMAP. I'm not gonna give you the long story about the why, but I'm looking for a way to give public IMAP access only to one domain, knowing that users log in with full email (user@domain.tld). Anybody has a trick for that? Running dovecot 2.0.13.
I know there should be a way to do it through the database, but quite heavy change on our side for a million odd users.
Regards,
ThierryAm 03.11.2011 19:13, schrieb Thierry de Montaudry:
Hi list,
I have a setup with postfix+dovecot+mysql unser CentOS 5, running 50 odd domains with virtual users. Access is allowed for public POP3, and a webmail on apache+PHP solution through local IMAP. I'm not gonna give you the long story about the why, but I'm looking for a way to give public IMAP access only to one domain, knowing that users log in with full email (user@domain.tld). Anybody has a trick for that? Running dovecot 2.0.13.
I know there should be a way to do it through the database, but quite heavy change on our side for a million odd users.
Regards,
Thierry i am shot in time , with a databse this should be get to work i have it as flag for all users, so i can forbid imap to special ones as far i remember ther should be examples on the dovecot site , and it was written about here on the list before
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
On Thu, 2011-11-03 at 19:13 +0100, Thierry de Montaudry wrote:
Hi list,
I have a setup with postfix+dovecot+mysql unser CentOS 5, running 50 odd domains with virtual users. Access is allowed for public POP3, and a webmail on apache+PHP solution through local IMAP. I'm not gonna give you the long story about the why, but I'm looking for a way to give public IMAP access only to one domain, knowing that users log in with full email (user@domain.tld). Anybody has a trick for that? Running dovecot 2.0.13.
I know there should be a way to do it through the database, but quite heavy change on our side for a million odd users.
So assuming all users can log in from 127.0.0.1 and domain.com only elsewhere, you can do stuff like:
a) Change password_query so that it succeeds only if '%l' = '127.0.0.1' or '%d' = 'domain.com'
b) Add a deny=yes passdb with e.g. sqlite backend that basically does the same as a) but reversed. http://wiki2.dovecot.org/Authentication/RestrictAccess has passwd-file example, example config files should have also something.
c) Add a new Dovecot proxy facing the public internet where it lets in only those users with '%d'='domain.com' (again maybe sqlite)
Possibly other ways too..
participants (3)
-
Robert Schetterer
-
Thierry de Montaudry
-
Timo Sirainen