Feature request: exclude IP/network in allow_nets extra field
Dear all,
We use allow_nets[1] to restrict login clients, it works fine.
Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"?
Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'".
Can we have this feature?
i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c.
[1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets [2] https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a995...
On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot dovecot@dovecot.org wrote:
Recently we need to allow some users to login from everywhere except some IP/networks,
Can you use firewall rules for this?
how can we accomplish this with "allow_nets"?
Allow_nets specifies allowed networks. Doesn't say anything else about any other use.
"The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from."
On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot dovecot@dovecot.org wrote:
On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot dovecot@dovecot.org wrote:
Recently we need to allow some users to login from everywhere except some IP/networks,
Can you use firewall rules for this?
I suppose not. We don't restrict ALL users this way, just few of them. And the client IP addresses may change frequently, not static IPs.
how can we accomplish this with "allow_nets"?
Allow_nets specifies allowed networks. Doesn't say anything else about any other use.
"The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from."
I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :)
On 4/29/2019 11:20 PM, Zhang Huangbin via dovecot wrote:
I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :) I'm not sure why:
iptables -A INPUT -p tcp --match multiport --syn ! -s a.b.c.d/netmask
--dports 110,143,993,995 -j REJECT
doesn't do what you want.
Or do you want some kind of "friendlier" message to be provided once the user(s) login from the blocked IP#s to tell them why they can't login?
=M=
On Apr 30, 2019, at 2:32 PM, Malcolm via dovecot dovecot@dovecot.org wrote:
On 4/29/2019 11:20 PM, Zhang Huangbin via dovecot wrote:
I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :) I'm not sure why:
iptables -A INPUT -p tcp --match multiport --syn ! -s a.b.c.d/netmask
--dports 110,143,993,995 -j REJECT
Dear Malcolm,
Thanks for your reply. As mentioned earlier, this per-user access control, not for all users. This firewall rule blocks all users, not just few users.
On 30 Apr 2019, at 00:20, Zhang Huangbin via dovecot dovecot@dovecot.org wrote:
On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot dovecot@dovecot.org wrote:
On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot dovecot@dovecot.org wrote:
Recently we need to allow some users to login from everywhere except some IP/networks,
Can you use firewall rules for this?
I suppose not. We don't restrict ALL users this way, just few of them.
This iOS sounding odder and odder.
And the client IP addresses may change frequently, not static IPs.
And? How is that an issue? Either way you are going to have to change a configuration. At least with a fireball, you don't have to reload dovecot each time.
how can we accomplish this with "allow_nets"?
Allow_nets specifies allowed networks. Doesn't say anything else about any other use.
"The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from."
I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :)
I cannot imagine a case where I would find this useful, no.
-- "You never really understand a person until you see things from his point of view, until you climb inside of his skin and walk around in it."
On 30 Apr 2019, at 4.56, Zhang Huangbin via dovecot dovecot@dovecot.org wrote:
Dear all,
We use
allow_nets[1] to restrict login clients, it works fine. Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"?Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'".
Can we have this feature?
Just create another passdb for these premium users before the actual passdb and add skip = authenticated to the actual passdb.
Sami
On Apr 30, 2019, at 2:35 PM, Sami Ketola via dovecot dovecot@dovecot.org wrote:
Just create another passdb for these premium users before the actual passdb and add skip = authenticated to the actual passdb.
Dear Sami,
Thank you for the suggestion.
Adding more passdb is not ideal at all, if we have more access policies, we don't want to add more and more userdb/passdb. Dovecot already supports syntax "allow_nets=a.b.c.d", we just need something like "!" mark to exclude some IP/networks.
Hello, Zhang.
You can easily do this without a new feature in Dovecot.
- Create a post login script, for instance, in bash.
- install grepcidr on your server.
Your post login script can use grepcidr to check for white or black list.
https://wiki.dovecot.org/PostLoginScripting
I have implemented this myself on a small open source project, I can send you the links of you want.
André.
Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot dovecot@dovecot.org:
Dear all,
We use
allow_nets[1] to restrict login clients, it works fine. Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"?Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'".
Can we have this feature?
i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c.
[1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets [2] https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a995...
Sorry for the top posting, I have not setup my new phone yet.
Here the script sample: https://github.com/progmaticltd/homebox/blob/dev/install/playbooks/roles/dov...
André.
Tue Apr 30 15:33:51 GMT+01:00 2019 andre andre@rodier.me:
Hello, Zhang.
You can easily do this without a new feature in Dovecot.
- Create a post login script, for instance, in bash.
- install grepcidr on your server.
Your post login script can use grepcidr to check for white or black list.
https://wiki.dovecot.org/PostLoginScripting
I have implemented this myself on a small open source project, I can send you the links of you want.
André.
Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot dovecot@dovecot.org:
Dear all,
We use
allow_nets[1] to restrict login clients, it works fine. Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"?Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'".
Can we have this feature?
i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c.
[1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets [2] https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a995...
On Apr 30, 2019, at 10:37 PM, andre via dovecot dovecot@dovecot.org wrote:
You can easily do this without a new feature in Dovecot.
- Create a post login script, for instance, in bash.
- install grepcidr on your server.
Your post login script can use grepcidr to check for white or black list.
Dear Andre,
Thank you very much for the input.
Post login script should work as you suggested, but consider Dovecot already supports "allow_nets=a.b.c.d", we just need a mark like "!" to exclude some IP/networks, this might be the best and most elegant solution (if it can be implemented, of course), because we need only one userdb/passdb for all users, just different "allow_nets" for access control. Not one userdb/passdb for one each access policy.
Am 30.04.19 um 03:56 schrieb Zhang Huangbin via dovecot:
Dear all,
We use
allow_nets[1] to restrict login clients, it works fine. Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"?Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'".
Can we have this feature?
i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c.
I had a similar problem years ago. Usually on set defaults in a configuration and overwrite per userdb entry In my case the userdb was a ldap backend. I liked to limit specific users via allow_nets and deny all other. So I wrote a simple patch for src/auth/auth-request.c to set defaults in case my ldap userdb do not return any overwriting. Patch attached...
Andreas
participants (6)
-
@lbutlr
-
A. Schulze
-
andre
-
Malcolm
-
Sami Ketola
-
Zhang Huangbin