Hi, When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? -- Best regards, Marc
On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote:> When using dovecot for authentication of an SASL (postfix) request, i > cannot use the allow_nets parameter. The IP-address of the requester is > not known in dovecot. > > I would like to allow sasl for certain users, others are not allowed to > access via SASL. > Some users can have access to imap and pop3 from certain IP-addresses. > > How could i combine this in then dovecot configuration?Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010&r=1&w=2). Maybe it sends remote IP as well. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20071203/158aa4e4/attachment-0002.bin>
Timo Sirainen schreef:> On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: >> When using dovecot for authentication of an SASL (postfix) request, i >> cannot use the allow_nets parameter. The IP-address of the requester is >> not known in dovecot. >> >> I would like to allow sasl for certain users, others are not allowed to >> access via SASL. >> Some users can have access to imap and pop3 from certain IP-addresses. >> >> How could i combine this in then dovecot configuration? > > Since Postfix doesn't send the IP to Dovecot, there isn't anything on > Dovecot's side you can do. You could try asking about this in Postfix > list.. Someone at least had a patch which allowed sending local IP to > Dovecot (http://marc.info/?t=119306971600010&r=1&w=2). Maybe it sends > remote IP as well. >Would it be possible to use a different authentication method for pop/imap and sasl? -- Marc
> Timo Sirainen schreef: > > On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: > >> When using dovecot for authentication of an SASL (postfix) request, i > >> cannot use the allow_nets parameter. The IP-address of the requester is > >> not known in dovecot. > >> > >> I would like to allow sasl for certain users, others are not allowed to > >> access via SASL. > >> Some users can have access to imap and pop3 from certain IP-addresses. > >> > >> How could i combine this in then dovecot configuration? > > > > Since Postfix doesn't send the IP to Dovecot, there isn't anything on > > Dovecot's side you can do. You could try asking about this in Postfix > > list.. Someone at least had a patch which allowed sending local IP to > > Dovecot (http://marc.info/?t=119306971600010&r=1&w=2). Maybe it sends > > remote IP as well.I wrote that patch. It passes both endpoints (remote & local) through to dovecot . This lets you restrict smtp-auth just like pop3 or imap using the remote IP. In my case, I had played around with a quick hack for doing per-ip realming (using the local IP) w/ dovecot-sql.
On Dec 3, 2007 7:36 AM, Marc Cuypers <m.cuypers at mgvd.be> wrote:> Hi, > > When using dovecot for authentication of an SASL (postfix) request, i > cannot use the allow_nets parameter. The IP-address of the requester is > not known in dovecot. > > I would like to allow sasl for certain users, others are not allowed to > access via SASL. > Some users can have access to imap and pop3 from certain IP-addresses. > > How could i combine this in then dovecot configuration? > > -- > Best regards, > > Marc >You can do this in postfix main.cf using the smtpd_sasl_exceptions_networks parameter. Normally this parameter lists networks *not* allowed to use AUTH, but you can exempt certain hosts by proceeding them with a "!". Note that order matters, here; exceptions must come before the static:all entry. For example. to offer AUTH only to 192.0.2.0-192.0.2.255: # main.cf smtpd_sasl_exceptions_networks = !192.0.2.0/24 static:all See also http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks Or for an alternative method: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps -- Noel Jones