[Dovecot] Disable IMAP for ONE user only

SIW bov at bsdpanic.com
Mon May 5 21:26:07 UTC 2014


Thanks Rick!

I have a handful of users on the server but I am the only one requiring 
secure access to my mail while travelling. Everything is installed on 
one box. I will give you recommendation a try so thank you for that.

One option I was thinking about is as well, is it possible to use "throw 
away one time passwords" with my setup? As described here:

http://blog.kevinvandervlist.nl/projects/roundcube-static-otp/

It would be *perfect* if I could access my mail "normally" from an IMAP 
client (Thunderbord/K9) using a strong password and then use a OTP 
(using Googles Authenticator) with a "throw away password" that can ONLY 
be used once!

This would allow me to login at an internet cafe with a throw away 
password and not care if its being recorded as it could only be used 
once anyway and couldn't be used with IMAP. is this a possibility?

I'm just trying to consider all the ideas :-)

On 05/05/2014 22:13, Rick Romero wrote:
>  You don't need vpopmail - that's just an example.  It has it's own table
> structure.
>
> Are you the only user - I missed that part of the question.  If so, 
> ignore
> the 'Bit Operator' part, you won't need it.  That's to allow different
> types of access per user (and makes the query that much more complex).
>
> Change your user table structure and add a 2nd password field named
> 'imap_password', then change your Dovecot query SQL to the below:
>
> SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as
> password FROM virtual_users WHERE email='%u';
>
> That will return the contents of 'password' when you use webmail 
> (assuming
> it's all installed on one box), and 'imap_password' when you connect from
> any other system.
>
> If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and
> lock it down) or another visual MySQL client.
>
> If there are multiple users, you'll need to either change the query to 
> just
> match your username or add another field to do a bit check and make the
> query more complex... :)
>
> Rick
>
> Quoting SIW <bov at bsdpanic.com>:
>
>> Hi Rick
>>
>> I really appreciate your response!
>>
>> Unfortunately my SQL is, how can we say, very basic. I built my server
>> using the Linode guide at:
>>
>> https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql 
>>
>>
>> Currently my password query looks as follows:
>>
>> password_query = SELECT email as user, password FROM virtual_users WHERE
>> email='%u';
>>
>> I'm not familiar with VPopMail, would I need it in this situation?
>> Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.
>>
>> On 05/05/2014 21:32, Rick Romero wrote:
>>> Quoting Professa Dementia <professa at dementianati.com>:
>>>
>>>> On 5/5/2014 1:05 PM, SIW wrote:
>>>>> Thats a good point.
>>>>>
>>>>> If I block IMAP/SMTP access to ONE user does that mean that 
>>>>> particular
>>>>> user can't use Roundcube anymore?
>>>>
>>>> That is correct.  If you block IMAP, then webmail will not work.
>>>
>>> Not necessarily.
>>>
>>> From:
>>> http://wiki2.dovecot.org/AuthDatabase/VPopMail
>>>
>>> "logically this means: show password for user=%n at domain=%d when imap
>>> on
>>> the account is not disabled and connection is not comming from 
>>> localhost
>>> when webmail access on the account is not disabled and if imap for the
>>> domain is not disabled and (connection is not comming from localhost
> when
>>> webmail access for the domain is not disabled) when vlimits are not
>>> overriden on the account "
>>> #
>>> password_query = select pw_passwd as password FROM vpopmail LEFT JOIN
>>> limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and
>>> pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid &
> 4))
>>> and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and
>>> COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );
>>>
>>> So construct your SQL query in a way that your bit field in MySQL
>>> disables
>>> all access for a single user except when the source IP is your webmail
>>> server.
>>>
>>> If you want multiple passwords, you can modify the password_query with
>>> iif
>>> statements based on the source IP or protocol.
>>>
>>> Like:
>>> select iif(%r == '127.0.0.1' & pw_name== 'yourname' &
>>> pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from
>>> vpopmail .....
>>> Of course that's specific to the vpopmail table... modify as needed for
>>> your own table structure...
>>> Rick
>>
>>



More information about the dovecot mailing list