Stopping login via "nologin" parameter

J Doe general at nativemethods.com
Fri Jul 20 01:49:00 EEST 2018 

Hello,

I have a basic e-mail server with Postfix 3.1 and Dovecot 2.2.22.

I am using a passwd-file for both userdb and passdb:

    /etc/dovecot/dovecot.conf
        userdb {
            driver = passwd-file
            args = /etc/dovecot/passwd
        }

        passdb {
            driver = passwd-file
            args = /etc/dovecot/passwd
        }
    }

In the passwd file, I want to have user account names for SMTP SASL AUTH and IMAP that are NOT e-mail addresses.

For example, employee one of ABC corp would have a SMTP SASL AUTH/IMAP account name in the form: abc_company_employeeid (for example: abc_company_03284).  The idea behind that is that I do not want someone outside of the company to be able to know the first half of the username and password pair just because they have an employee's e-mail address.

For the e-mail address I specify something like: bob at abc.com however I never want someone to be able to login via their e-mail address.  Originally, I specified the password field as empty, with the understanding being that the default encryption of a password is {CRYPT}.  Since crypt() cannot output a null string, this meant that there was never a valid password.

So passwd looked like this:

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP accounts
        abc_company_03284:::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284

        # IMAP
        bob at abc.com:vmail:vmail::/home/vmail/bob::userdb_maill=maildir:/var/mail/vhosts/abc.com/abc_company_03284

I tested SMTP SASL AUTH and IMAP via the openssl s_client and can confirm that I can login and send e-mail as well as retrieve mail only via the: abc_company_03284 account, but because an empty password field isn’t mentioned on the Dovecot wiki, I was wondering if I should add “nologin” to explicitly make it impossible for: bob at abc.com.  “nologin” was mentioned to me in a previous e-mail to this list.

So passwd would now look like this:

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP accounts
        abc_company_03284:::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284

        # IMAP
        bob at abc.com:vmail:vmail::/home/vmail/bob::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284 nologin

I restarted Dovecot and tested this with openssl s_client for SMTP SASL AUTH and IMAP, but just wanted to make sure that this STOPS ANY LOGINS via the e-mail address: bob at abc.com ?

Thanks,

- J

More information about the dovecot mailing list