application specific passwords

mj lists at merit.unu.edu
Thu Jul 20 22:42:27 EEST 2017 

Hi,

Let me ask a more specific question.

What I would like to configure, is:

- for our internal users to use their regular AD usernam/passwords, just 
as everybody can currently do.

but, new:
- for external users, to ONLY be allowed to use an application specific 
password. (or username and password, fine as well)

Step one: making ldap password authentication valid only from our 
internal network. I though: using allow_nets=192.168.1.0/24 for that passdb

But I can't get that to work. :-( Unsure where exactly to define the 
allow_nets, tried many variations on the theme already.

Perhaps someone can help with the step one, and also tell me if the 
approach outlined above is smart, valid and do-able in dovecot.

Here are our sanitised configs:

> root at mails:/etc/dovecot# doveconf -n
> # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs
> auth_debug = yes
> auth_failure_delay = 2 secs
> auth_master_user_separator = *
> auth_mechanisms = plain login
> auth_username_format = %Ln
> auth_verbose = yes
> auth_verbose_passwords = plain
> debug_log_path = /var/log/dovecot/dovecot.debug
> deliver_log_format = %f | %s | msgid=%m: %$
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot/dovecot.info
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> log_path = /var/log/dovecot/dovecot.err
> login_greeting = Dovecot ready.
> mail_gid = vmail
> mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
> mail_plugins = acl lazy_expunge zlib quota mail_log notify
> mail_uid = vmail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
> namespace {
>   list = children
>   location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
>   prefix = shared/%%n/
>   separator = /
>   subscriptions = no
>   type = shared
> }
> namespace inbox {
>   inbox = yes
>   location = 
>   mailbox "Deleted items" {
>     special_use = \Trash
>   }
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent items" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   mailbox inbox {
>     auto = subscribe
>   }
>   prefix = 
>   separator = /
>   type = private
> }
> passdb {
>   args = /etc/dovecot/master-users
>   driver = passwd-file
>   master = yes
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
>   skip = authenticated
> }
> plugin {
>   acl = vfile
>   acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
>   mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append
>   mail_log_fields = uid box msgid from subject
>   quota = maildir
>   quota_rule = ?:storage=5G
>   quota_rule2 = Trash:storage=+100M
>   quota_warning = storage=97%% quota-warning 97 %u
>   quota_warning2 = storage=95%% quota-warning 95 %u
>   quota_warning3 = storage=90%% quota-warning 90 %u
>   quota_warning4 = storage=85%% quota-warning 85 %u
>   quota_warning5 = storage=80%% quota-warning 80 %u
>   quota_warning6 = -storage=100%% quota-warning below %u
>   sieve = ~/.dovecot.sieve
>   sieve_default = /var/lib/dovecot/default.sieve
>   sieve_dir = ~/sieve
> }
> protocols = imap lmtp sieve
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     mode = 0666
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0666
>     user = vmail
>   }
> }
> service imap-login {
>   process_limit = 500
>   process_min_avail = 2
> }
> service quota-warning {
>   executable = script /usr/local/bin/quota-warning.sh
>   unix_listener quota-warning {
>     user = vmail
>   }
>   user = dovecot
> }
> ssl_ca = </etc/ssl/comodo/chain.crt
> ssl_cert = </etc/ssl/comodo/server.crt
> ssl_key =  # hidden, use -P to show it
> ssl_protocols = !SSLv2 !SSLv3
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> verbose_proctitle = yes
> protocol lda {
>   mail_plugins = acl lazy_expunge zlib quota mail_log notify sieve quota
> }
> protocol imap {
>   imap_max_line_length = 2 M
>   mail_max_userip_connections = 30
>   mail_plugins = acl lazy_expunge zlib quota mail_log notify imap_quota imap_acl
> }

and our dovecot-ldap.conf.ext:

> hosts = ldap1 ldap2 ldap3
> dn = cn=search,cn=....
> dnpass = secretashell
> tls = no
> debug_level = 0
> auth_bind = yes
> base = CN=Users, DC=.....
> scope = subtree
> user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24
> user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
> pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
> iterate_attrs = sAMAccountName=user
> iterate_filter = (objectClass=person)

MJ

More information about the dovecot mailing list