Hi is possible authentication by ip address in dovecot? What i need. Now auth is by PAM (Active directory), i want application password (its plugin to Roundcube, passwords in mysql) for example android email client. I know that Multiple Authentication Databases work but i want when user auth from public network use sql and when from internal network use both sql and then pam.
thanks for help
Bukowski
Hi is possible authentication by ip address in dovecot? What i need. Now auth is by PAM (Active directory), i want application password (its plugin to Roundcube, passwords in mysql) for example android email client. I know that Multiple Authentication Databases work but i want when user auth from public network use sql and when from internal network use both sql and then pam.
I recently I asked something similar (allow authentication without password for a specific user name), and am looking to resolve this via pam modules. I think the solution to your issue is going to be quite similar. However, I am not sure what you are trying to do, and if what you are looking for is even good. If you want to use roundecube. Why not just enable user imap authentication? I would say you really need to know what you are doing, when you start looking at no authentication.
On 2022-04-08 12:29, Vlastimil Wagner wrote:
Hi is possible authentication by ip address in dovecot? What i need. Now auth is by PAM (Active directory), i want application password (its plugin to Roundcube, passwords in mysql) for example android email client. I know that Multiple Authentication Databases work but i want when user auth from public network use sql and when from internal network use both sql and then pam.
thanks for help
Bukowski
Hi there,
Check Dovecot post login scripting, refer to https://doc.dovecot.org/admin_manual/post_login_scripting/.
In post login script you can have access to $USER string, containing email address as well as Fields " returned by userdb lookup with their keys uppercased (e.g. if userdb returned home, it’s stored in HOME). "
E.g. use the following snippets in bash script, to perform additional authentication, and check first if $IP is present in a whitelist file i.e. internal then perform it.
You can retrieve PAM credentials for a "username" using:- cat /etc/shadow | grep username
Retrieve user password from DB and make use in following to generate its hash or instead of openssl use doveadm command if its more suitable:- openssl passwd -1 -salt TrOIigLp PASSWORD
Retrieve password hash, algorithm and salt from PAM credentials string:-
Find way to compare the password hash with the generated one, I think its doable using python yet I have not tested by myself.
In bash script use following e.g. to pass the post login script authentication:-
if [[ $authenticated = true ] && [$IP_PRESENT = true]] ; then
exec "$@"elif [[ $IP_PRESENT = false ]]
exec "$@"else
exit 0fi
Any question please don't hesitate.
Zakaria.
participants (3)
-
hi@zakaria.website
-
Marc
-
Vlastimil Wagner