[Dovecot] restricting access by reverse domain name

Phil Howard ttiphil at gmail.com
Mon Aug 9 22:50:40 EEST 2010


On Mon, Aug 9, 2010 at 11:18, Timo Sirainen <tss at iki.fi> wrote:
> On Mon, 2010-08-09 at 10:55 -0400, Phil Howard wrote:
>> Is there a feature or plugin to restrict access to IMAP/POP service by
>> the domain name in reverse lookup?
>
> With v2.0 you could use tcp-wrappers.
>
>> It would be even better if this
>> restriction can exclude certain users (e.g. some users can access IMAP
>> from certain networks but other users cannot).
>
> Then you need to check this during authentication. What passdb do you
> use? There is
> http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets but it
> doesn't do reverse DNS lookups. For that you'd need to a) use passdb pam
> with some PAM plugin, b) use passdb checkpassword with your own script,
> c) add some new code to Dovecot or create a plugin.

Most (maybe all) cases will be allowing from all networks except
certain ones.  The first interest is to block "free web mail" services
that users can access IMAP servers with.

I'm using passwd-file:

========================================================================
[...]
auth default:
  mechanisms: plain login
  username_chars:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ at +
  username_format: %Ln@%Ld
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: passwd-file
    args: scheme=crypt username_format=%Ln /var/maildb/authdir/%Ld/passwd
  userdb:
    driver: passwd-file
    args: username_format=%Ln /var/maildb/authdir/%Ld/passwd
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/dovecot-auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: vmail
      group: vmail
========================================================================


-- 
sHiFt HaPpEnS!


More information about the dovecot mailing list