Hi, I have been reading the acl documentation and it seems that a "connect acl" is not available. I need to limit the users that can login in an IP number, is that posible with dovecot 1.0? (i.e. only these users can login from the Internet) Or a new plugin should be written? It is complicated to do that? Thanks Oliver -- Oliver Schulze L. | http://tinymailto.com/oliver Asuncion - Paraguay | http://www.solojuegos.mobi
On 6/2/07, Oliver Schulze L. <oliver at samera.com.py> wrote:> > I need to limit the users that can login in an IP number, is that > posible with > dovecot 1.0? (i.e. only these users can login from the Internet) > Or a new plugin should be written? It is complicated to do that? >Might look at using perdition to front end your imap sessions or wrapping the imap shell script/batch file to a degree (exporting RIP to the environment would be great. What sort of response would the imap server give? Obviously you allow all sessions to connect else you would handle this with iptables, and when the user/pass/cert is validated and you have the user:rip what response would you give the client? Any security issues are moot since the user/pass is over the wire in order to determine if they have access. -- Gabriel Millerd
On Sat, 2007-06-02 at 10:47 -0400, Oliver Schulze L. wrote:> Hi, > I have been reading the acl documentation and it seems that a "connect acl" > is not available. > > I need to limit the users that can login in an IP number, is that > posible with > dovecot 1.0? (i.e. only these users can login from the Internet)Do you mean something like http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets (and http://wiki.dovecot.org/PasswordDatabase/ExtraFields)?> Or a new plugin should be written? It is complicated to do that?dovecot-auth doesn't really support such plugins. You could let the user log in normally and then check the IP and disconnect if it's wrong (http://wiki.dovecot.org/PostLoginScripting) but that of course tells the user that the user/pass was correct and the IP was just wrong. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070604/d9e3ae1e/attachment-0002.bin>
Hi Gabriel, thanks for the suggestion. Will be researching about "perdition", google should help. My idea is to open only IMAPS port to the internet, and then limit only a few users the check their email from home. Thanks Oliver Gabriel Millerd wrote:> What sort of response would the imap server give? Obviously you > allow all sessions to connect else you would handle this with > iptables, and when the user/pass/cert is validated and you have the > user:rip what response would you give the client? Any security issues > are moot since the user/pass is over the wire in order to determine if > they have access. >-- Oliver Schulze L. | http://tinymailto.com/oliver Asuncion - Paraguay | http://www.solojuegos.mobi
Oliver Schulze L. wrote:> Hi Gabriel, > thanks for the suggestion. Will be researching about "perdition", > google should help. > > My idea is to open only IMAPS port to the internet, and then limit only > a few users the check their email from home.you can run dovecot twice (one instance for the LAN and one of the internet), each with its list of users/passwords...
I got the response from Timo, in the shell script i can use the variable $IP which holds the remote IP (rip from syslog) so, doing a grep with the $IP and the subnet will do the trick. Will update the wiki when its done. Thanks Oliver mouss wrote:> Oliver Schulze L. wrote: >> Hi Gabriel, >> thanks for the suggestion. Will be researching about "perdition", >> google should help. >> >> My idea is to open only IMAPS port to the internet, and then limit only >> a few users the check their email from home. > > > you can run dovecot twice (one instance for the LAN and one of the > internet), each with its list of users/passwords...-- Oliver Schulze L. | http://tinymailto.com/oliver Asuncion - Paraguay | http://www.solojuegos.mobi