[Dovecot] restricting access by reverse domain name
Phil Howard
ttiphil at gmail.com
Mon Aug 9 22:50:40 EEST 2010
On Mon, Aug 9, 2010 at 11:18, Timo Sirainen <tss at iki.fi> wrote:
> On Mon, 2010-08-09 at 10:55 -0400, Phil Howard wrote:
>> Is there a feature or plugin to restrict access to IMAP/POP service by
>> the domain name in reverse lookup?
>
> With v2.0 you could use tcp-wrappers.
>
>> It would be even better if this
>> restriction can exclude certain users (e.g. some users can access IMAP
>> from certain networks but other users cannot).
>
> Then you need to check this during authentication. What passdb do you
> use? There is
> http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets but it
> doesn't do reverse DNS lookups. For that you'd need to a) use passdb pam
> with some PAM plugin, b) use passdb checkpassword with your own script,
> c) add some new code to Dovecot or create a plugin.
Most (maybe all) cases will be allowing from all networks except
certain ones. The first interest is to block "free web mail" services
that users can access IMAP servers with.
I'm using passwd-file:
========================================================================
[...]
auth default:
mechanisms: plain login
username_chars:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ at +
username_format: %Ln@%Ld
verbose: yes
debug: yes
debug_passwords: yes
passdb:
driver: passwd-file
args: scheme=crypt username_format=%Ln /var/maildb/authdir/%Ld/passwd
userdb:
driver: passwd-file
args: username_format=%Ln /var/maildb/authdir/%Ld/passwd
socket:
type: listen
client:
path: /var/spool/postfix/private/dovecot-auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail
group: vmail
========================================================================
--
sHiFt HaPpEnS!
More information about the dovecot
mailing list