"j.emerlik" <j.emerlik at gmail.com> writes:> I would like to prepare postlogin a script that allow imap connection to > roundcube for all but restrict imap access for selected users."from" roundcube?> Is possible in condition IF use IP addresses as range or with mask (because > I've more than one web servers) ?Of course -- many ways to skin this cat. If you have only a handful of IPs case "$IP" in 12.34.56.78) exec "$@";; 23.45.67.89) exec "$@";; ... esac If you have CIDR that align neatly on octet boundaries case "$IP" in 12.34.56.*) exec "$@";; 23.45.67.*) exec "$@";; ... esac The toughest situation (using script techniques) is for CIDR ranges just shy of a full octet boundary e.g. /25. You can use "cut -d .", "IFS=." or "expr" to break the IP into octets, then test the components. e.g. 12.34.56.0/25 # Example 1 PART1=`echo $IP | cut -d. -f1,2,3` PART2=`echo $IP | cut -d. -f4` [ "$PART1" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && exec "$@" # Example 2 PART2=`expr "$IP" : '.*\.\([0-9]*\)' expr "$IP" : "12.34.56." && [ "$PART2" -ge 0 -a "$PART2" -le 127 ] && exec "$@" # Example 3 (dodgy, I haven't fully thought this through) `echo "$IP" | { IFS=. read a b c PART2; [ "$a.$b.$c" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && echo "exec $@"; }` If you have a busy IMAP server, you'll probably want to use Aki's passdb solution instead, rather than incurring the execution overhead for each and every authentication. Joseph Tam <jtam.home at gmail.com>
On 11/10/2017 11:03 PM, Joseph Tam wrote:> > The?toughest?situation?(using?script?techniques)?is?for > CIDR?ranges?just?shy?of?a?full?octet?boundary?e.g.?/25.?Actually there is a great tool for that, grepcidr $ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK 10.11.12.127 OK $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK $ But in your case you really probably should use postgres for the userdb and just return everything from there in user fields / extra fields, and if the logic doesn't fit in a simple query you can put it in a stored procedure. That will likely be more efficient.
Awesome, thanks! Sent from my mobile device please excuse. 11.11.2017 2:48 PM "Gedalya" <gedalya at gedalya.net> napisa?(a):> On 11/10/2017 11:03 PM, Joseph Tam wrote: > > > > The toughest situation (using script techniques) is for > > CIDR ranges just shy of a full octet boundary e.g. /25. > > Actually there is a great tool for that, grepcidr > > $ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK > 10.11.12.127 > OK > $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK > $ > > But in your case you really probably should use postgres for the userdb > and just return everything from there in user fields / extra fields, and if > the logic doesn't fit in a simple query you can put it in a stored > procedure. That will likely be more efficient. > > >
I finally used it like this:
case $IP in
10.120.12[0-7].*) exec "$@" ;;
111.111.11.4[0-9]) exec "$@" ;;
esac
Thanks a lot
Regards,
Jacek
case $IP in
10.120.12[0-7].*) exec "$@" ;;
195.150.13.4[0-9]) exec "$@" ;;
esac
2017-11-10 23:03 GMT+01:00 Joseph Tam <jtam.home at gmail.com>:
> "j.emerlik" <j.emerlik at gmail.com> writes:
>
> I would like to prepare postlogin a script that allow imap connection to
>> roundcube for all but restrict imap access for selected users.
>>
>
> "from" roundcube?
>
> Is possible in condition IF use IP addresses as range or with mask (because
>> I've more than one web servers) ?
>>
>
> Of course -- many ways to skin this cat.
>
> If you have only a handful of IPs
>
> case "$IP" in
> 12.34.56.78) exec "$@";;
> 23.45.67.89) exec "$@";;
> ...
> esac
>
> If you have CIDR that align neatly on octet boundaries
>
> case "$IP" in
> 12.34.56.*) exec "$@";;
> 23.45.67.*) exec "$@";;
> ...
> esac
>
> The toughest situation (using script techniques) is for
> CIDR ranges just shy of a full octet boundary e.g. /25. You can use
> "cut -d .", "IFS=." or "expr" to break the IP
into octets,
> then test the components. e.g. 12.34.56.0/25
>
> # Example 1
> PART1=`echo $IP | cut -d. -f1,2,3`
> PART2=`echo $IP | cut -d. -f4`
> [ "$PART1" = "12.34.56" -a "$PART2"
-ge 0 -a "$PART2" -le 127 ] &&
> exec "$@"
>
> # Example 2
> PART2=`expr "$IP" : '.*\.\([0-9]*\)'
> expr "$IP" : "12.34.56." && [
"$PART2" -ge 0 -a "$PART2" -le 127 ]
> && exec "$@"
>
> # Example 3 (dodgy, I haven't fully thought this through)
> `echo "$IP" | { IFS=. read a b c PART2; [
"$a.$b.$c" = "12.34.56"
> -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && echo
"exec $@"; }`
>
> If you have a busy IMAP server, you'll probably want to use Aki's
passdb
> solution instead, rather than incurring the execution overhead for each
> and every authentication.
>
> Joseph Tam <jtam.home at gmail.com>
>