Mart Pirita
2007-Jun-16 08:28 UTC
[Dovecot] Per user based protocol access and pause after failed login?
Hello. Tried search, no luck, sorry, if this is already answered, but I'm still looking a solution using pam_auth how to define in dovecot which user can access which protocol, for example, default is: protocols = pop3 pop3s imap imaps I'd like to use something like this: exclude_using_pop = user1, user2, @group exclude_using_pops = user1, user2, @group exclude_using_imap = user1, user2, @group exclude_using_imaps = user1, user2, @group The idea is security and also preventing imap user by accident logging in using pop3 and downloading (clearing inbox for imap) all inbox. And also some throttling, for example the adjustable time to pause access after failed login etc would be great. -- Mart
Timo Sirainen
2007-Jun-16 08:51 UTC
[Dovecot] Per user based protocol access and pause after failed login?
On Sat, 2007-06-16 at 11:28 +0300, Mart Pirita wrote:> I'd like to use something like this: > > exclude_using_pop = user1, user2, @group > exclude_using_pops = user1, user2, @group > exclude_using_imap = user1, user2, @group > exclude_using_imaps = user1, user2, @grouphttp://wiki.dovecot.org/Authentication/RestrictAccess -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070616/219b7ab2/attachment-0002.bin>
Mart Pirita
2007-Jun-16 11:18 UTC
[Dovecot] Per user based protocol access and pause after failed login?
Tere.> http://wiki.dovecot.org/Authentication/RestrictAccess >Thisone - auth required pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail Ok, that is close, but how to allow some users use only imaps and not imap? Same question about pops/pop also. Or is it possible to force nonsecure to secure connection? -- Mart
Mart Pirita
2007-Jun-16 22:16 UTC
[Dovecot] Per user based protocol access and pause after failed login?
Tere.> %c expands to "secured" or empty. So you could use eg. > passdb pam { > args = %s%c > } > > and create imap, imapsecured, pop3, pop3secured > >More better, so for example user1 can access only imaps, using Yous suggestion, I have to list all users, except user1 in imap, pop3, pop3secured. But it should works also in other way, that by default all users are allowed to use all protocols and then I exclude user1 from imap, pop3, pop3secured. So I tried: passdb pam { args = %s%c } /etc/pam.d/ includes imap, imapsecured, pop3, pop3secured files which includes: auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth and only imapsecured has this line: auth required pam_listfile.so item=user sense=deny file=/etc/imapsusers onerr=succeed and /etc/imapsusers includes user1 But now even pop user can't login:(. -- Mart