Restrict IMAP login, but allow Postfix SASL

Paul Kudla (SCOM.CA Internet Services Inc.) paul at scom.ca
Wed Jun 1 11:59:56 UTC 2022 

You really need to database your passwd auth

sasl supports pgsql / mysql

you can then alter the queries by selecting flags pending the access you 
want to allow

dovecot-pgsql.conf

password_query = SELECT username as user, password FROM email_users 
WHERE username = '%u' and password <> 'alias' and status = True and 
destination = '%u'

user_query = SELECT home, uid, gid FROM email_users WHERE username = 
'%u' and password <> 'alias' and status = True and destination = '%u'

#iterate_query = SELECT user, password FROM email_users WHERE username = 
'%u' and password <> 'alias' and status = True and destination = '%u'

iterate_query = SELECT "username" as user, domain FROM email_users WHERE 
status = True and alias_flag = False


postfix

smtpd.conf -> /usr/local/lib/sasl2/smtpd.conf




#Postygres
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
auxprop_plugin: sql
sql_engine: pgsql
sql_hostnames: pg.scom.ca:5433
sql_database: scom_billing
sql_user: xxxx
sql_passwd: xxxx
sql_select: SELECT password FROM email_users WHERE username = '%u@%r' 
and password <> 'alias' and currentcount_bad < 30 and status = True

i use status to allow disabling the users ability to login but you can 
easily expand the select statement to include another flag for imap user(s)




Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul at scom.ca

On 6/1/2022 7:40 AM, dovecot-bounces at dovecot.org wrote:
> 
> Hi,
> 
> we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users.
> We also use this for Postfix authentication.  Nothing special.
> 
> But, we need to exclude some of the users from IMAP login.
> This means, some users should be allowed to send mail via Postfix (submission) and therefore
> authenticate via SASL against dovecot successfully, but they should not be allowed to login
> to their IMAP mail box.
> 
> How could this be done?
> 
> Thanks!
> -lutzn
> 
> 
>

More information about the dovecot mailing list