Dovecot multiple passdb and fail2ban
Joaquin F
joaquinf6400 at gmail.com
Sun May 26 11:08:10 EEST 2019
Objective: different password for remote and local imap login
Version: 2.2.36 (1f10bfa63) on CentOS 7
Users are from Active Directory, mapped to local users via sssd
After much experimentation, I have configured this way:
doveconf -n passdb userdb
passdb {
args = username_format=%Ln /etc/dovecot/remote
driver = passwd-file
skip = authenticated
username_filter = user01 user02
}
passdb {
driver = pam
override_fields = allow_nets=127.0.0.0/8,192.168.1.0/24
skip = authenticated
}
userdb {
driver = passwd
}
If I put the passdb's in the reverse order, I would get failure
messages (when logging in remotely) in /var/log/secure, such as:
auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0
euid=0 tty=dovecot ruser=user02 rhost=xx.xx.xx.xx user=user02
Which caused fail2ban to ban that ip
/etc/fail2ban/jail.local
[dovecot]
enabled = true
port = imap,imaps
If I set "auth_verbose = yes", then I can see messages in (when
logging in locally) in /var/log/maillog
dovecot: auth: passwd-file(user02,192.168.1.20,<Na/7f8WJC8HAqAEU>):
Password mismatch
which is probably not a big deal... but seems inefficient?
Question: is there a more elegant way to use different passdb depending on ip?
Thanks in advance.
More information about the dovecot
mailing list