[Dovecot] Pam as ip/user based login filter - working.
Sysadmin
sysadmin at e-positive.ee
Thu Apr 13 10:42:30 EEST 2006
Tere.
As I told once, I have firewall protected network in which also mailserver
(dovecot/postfix) runs, and every local user with account, can access it. Now I
have some privileged users which need access also from outside, true firewall:
let the group1 members access mailserver from 0.0.0.0/0
let the group2 members access mailserver from 172.0.0.0/24
group1 members are also members of group2 and logically group1 members should
access mailserver from every network, including 172.0.0.0/24 and group1 members
should access mailserver only from 172.0.0.0/24 network.
So I try'd to make this happend with dovecot, made a separate passwd file and
configured dovecot to use it:
dovecot: Apr 11 13:42:48 Info: auth(default): passwd-file
/etc/dovecot.outusers: Read 2 users
/etc/dovecot.outusers includes
test1:{plain}test1:500:502::/home/test::mail=maildir:~/Maildir allow_nets=0.0.0.0
test2:{plain}test2:501:502::/home/test2::mail=maildir:~/Maildir
allow_nets=172.0.0.0/24 192.0.0.0/24
Still connecting from 172.17.25.3 to both accounts worked well so seems the code
doesn't work.
So next step to do it, was pam:
/etc/pam.d/dovecot.pam includes:
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
account required pam_access.so
/etc/security/access.conf includes:
+:group1:ALL
+:group2:172. 192.
-:ALL:ALL
And it works. Maybe this information is useful for someone.
--
Sysadmin
More information about the dovecot
mailing list