[Dovecot] Enable IMAP only for certain users/IP
Hi, I'm trying to config dovecot to enable IMAP protocol only for certain IPs and users. The logical steps I've followed are: listed in a file) the request is authorized.
- If a user is trying to login from an IP that I've authorized (
- If not, if the user is listed in a second file the request is authorized.
- If also this check fails the request is rejected.
I'm using PAM for passdb and a passwd-file for userdb:
passdb { driver = pam args = session=yes failure_show_msg=yes max_requests=16 cache_key=%u%r%l dovecot-%s }
userdb { driver = passwd-file args = /etc/passwd-dovecot }
In /etc/pam.d/ there are two files: dovecot-pop3 dovecot-imap
dovecot-pop3:
#%PAM-1.0
@include common-auth @include common-account @include common-session
(for this protocol everything works fine, I don't want to limit it.)
dovecot-imap:
#%PAM-1.0
@include common-auth
auth sufficient pam_listfile.so item=rhost sense=allow file=/etc/dovecot/imaphosts onerr=fail auth required pam_listfile.so item=user sense=allow file=/etc/dovecot/imapusers onerr=fail
@include common-account @include common-session
If I'm not wrong, once the user is authenticated, PAM checks if the remote IP address is in imaphosts; if it's true, it returns PAM_SUCCESS and stops the execution of the auth block, else if it's false, PAM executes the next line, verifying the presence of the username in imapusers file; if found, then return PAM_SUCCESS, else fail.
If this can work, I've a problem with pam_listfile.so and IP addresses: I want to do something smarter than specifying 2^11 IP addresses instead a /21 or IP/netmask
Are there alternatives for doing it better?
Thanks.
Sincerely, Simone Marx.
Am 29.05.2013 10:37, schrieb Simone Marx :: Edinet Srl:
Hi, I'm trying to config dovecot to enable IMAP protocol only for certain IPs and users. The logical steps I've followed are:
- If a user is trying to login from an IP that I've authorized ( listed in a file) the request is authorized.
- If not, if the user is listed in a second file the request is authorized.
- If also this check fails the request is rejected.
I'm using PAM for passdb and a passwd-file for userdb:
passdb { driver = pam args = session=yes failure_show_msg=yes max_requests=16 cache_key=%u%r%l dovecot-%s }
userdb { driver = passwd-file args = /etc/passwd-dovecot }
In /etc/pam.d/ there are two files: dovecot-pop3 dovecot-imap
dovecot-pop3:
#%PAM-1.0
@include common-auth @include common-account @include common-session
(for this protocol everything works fine, I don't want to limit it.)
dovecot-imap:
#%PAM-1.0
@include common-auth
auth sufficient pam_listfile.so item=rhost sense=allow file=/etc/dovecot/imaphosts onerr=fail auth required pam_listfile.so item=user sense=allow file=/etc/dovecot/imapusers onerr=fail
@include common-account @include common-session
If I'm not wrong, once the user is authenticated, PAM checks if the remote IP address is in imaphosts; if it's true, it returns PAM_SUCCESS and stops the execution of the auth block, else if it's false, PAM executes the next line, verifying the presence of the username in imapusers file; if found, then return PAM_SUCCESS, else fail.
If this can work, I've a problem with pam_listfile.so and IP addresses: I want to do something smarter than specifying 2^11 IP addresses instead a /21 or IP/netmask
Are there alternatives for doing it better?
Thanks.
Sincerely, Simone Marx.
you may have a look at
http://wiki.dovecot.org/Authentication/RestrictAccess
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hi Robert, thank you for your answer.
My prevoius mail is based on the wiki page you specified.
Also, the allow_nets parameter seems not to do what I want.
I want to combime remote IP address check (system wide - common for all users) and single user permission check.
The problem is that I would specify for the IP section something similar to:
127.0.0.1 1.2.0.0/21
and not: 127.0.0.1 1.2.0.1 1.2.0.2 1.2.0.3 1.2.0.4 1.2.0.5 . . . 1.2.7.254
Thank you.
Sincerely, Simone.
Am 29.05.2013 12:08, schrieb Simone Marx :: Edinet Srl:
Hi Robert, thank you for your answer.
My prevoius mail is based on the wiki page you specified.
Also, the allow_nets parameter seems not to do what I want.
I want to combime remote IP address check (system wide - common for all users) and single user permission check.
The problem is that I would specify for the IP section something similar to:
127.0.0.1 1.2.0.0/21
and not: 127.0.0.1 1.2.0.1 1.2.0.2 1.2.0.3 1.2.0.4 1.2.0.5 . . . 1.2.7.254
Thank you.
Sincerely, Simone.
what about using some kind of
http://wiki2.dovecot.org/PostLoginScripting
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
what about using some kind of http://wiki2.dovecot.org/PostLoginScripting
You got it, a script call for post-login does the trick.
Thank you, Robert.
Sincerely, Simone.
participants (2)
-
Robert Schetterer
-
Simone Marx :: Edinet Srl