Restrict IMAP login, but allow Postfix SASL
Anne Bennett
anne at encs.concordia.ca
Wed Jun 1 15:35:59 UTC 2022
> we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users.
> We also use this for Postfix authentication. Nothing special.
>
> But, we need to exclude some of the users from IMAP login.
> How could this be done?
There's a facility to add arbitrary code to the imap login process,
e.g., in "10-master.conf":
service imap-postlogin {
executable = script-login /local/bin/imap-wrapper
user = $default_internal_user
unix_listener imap-postlogin {
}
}
In our case, "/local/bin/imap-wrapper" is a Perl script that
checks the user's login shell, and if it is one of our "blocked"
shells, returns:
print "* NO [ALERT] Your account has expired, and access to it has been suspended. ".$msg_helpdesk_refer;
exit 1;
otherwise it execs the command given in its arguments.
More info is at:
https://doc.dovecot.org/admin_manual/post_login_scripting/
Anne.
--
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424 x2285
More information about the dovecot
mailing list