[Dovecot] Different classes of user

John Robinson john.robinson at anonymous.org.uk
Sat Feb 10 03:01:12 UTC 2007

Hello list! Only recently joined, please excuse me if this is a stupid 

I'd like to have 2 classes of user: those with shell accounts, and those 
without. They'll all have "real" accounts, for which the password can be 
checked with PAM. I've set up SSL too. What I want to arrange is for 
users with shell accounts not to be succeed in logging in to Dovecot 
without using TLS/SSL. I'll have to allow unencrypted logins (for 
non-shell users), but I want to reject/refuse such a login from someone 
with a shell account.

I've already made my exim do this, with the following logic in my 
authenticator there:
    if (pam auth ok) and
       ((tls) or (user's shell not listed in /etc/shells))

I haven't worked out how to make Dovecot do this, yet. So far I just 
tried using * as the PAM service name, in the hope that not only would 
pop3 or imap get passed through, but pop3s and imaps might, and I had a 
line in my /etc/pam.d/imap and pop like this:
   auth required pam_succeed_if.so debug shell notin /bin/bash:/bin/sh
which worked, but unfortunately also got used for imapS logins. Then I 
realised this was likely to be the wrong thing anyway, because it would 
presumably only cover IMAPS on port 993, and not IMAP+TLS on the usual 
port 143.

So I've had a go but got it wrong. What should I do to get it right?



More information about the dovecot mailing list