Simone Marx :: Edinet Srl
2013-May-29 08:37 UTC
[Dovecot] Enable IMAP only for certain users/IP
Hi,
I'm trying to config dovecot to enable IMAP protocol only for certain
IPs and users.
The logical steps I've followed are:
1. If a user is trying to login from an IP that I've authorized (
listed in a file) the request is authorized.
2. If not, if the user is listed in a second file the request is
authorized.
3. If also this check fails the request is rejected.
I'm using PAM for passdb and a passwd-file for userdb:
passdb {
driver = pam
args = session=yes failure_show_msg=yes max_requests=16
cache_key=%u%r%l dovecot-%s
}
userdb {
driver = passwd-file
args = /etc/passwd-dovecot
}
In /etc/pam.d/ there are two files:
dovecot-pop3
dovecot-imap
dovecot-pop3:
#%PAM-1.0
@include common-auth
@include common-account
@include common-session
(for this protocol everything works fine, I don't want to limit it.)
dovecot-imap:
#%PAM-1.0
@include common-auth
auth sufficient pam_listfile.so item=rhost sense=allow
file=/etc/dovecot/imaphosts onerr=fail
auth required pam_listfile.so item=user sense=allow
file=/etc/dovecot/imapusers onerr=fail
@include common-account
@include common-session
If I'm not wrong, once the user is authenticated, PAM checks if the
remote IP address is in imaphosts; if it's true,
it returns PAM_SUCCESS and stops the execution of the auth block, else
if it's false, PAM executes the next line, verifying the presence of the
username in imapusers file; if found, then return PAM_SUCCESS, else
fail.
If this can work, I've a problem with pam_listfile.so and IP addresses:
I want to do something smarter than specifying 2^11 IP addresses instead
a /21 or IP/netmask
Are there alternatives for doing it better?
Thanks.
Sincerely,
Simone Marx.
Am 29.05.2013 10:37, schrieb Simone Marx :: Edinet Srl:> Hi, > I'm trying to config dovecot to enable IMAP protocol only for certain > IPs and users. > The logical steps I've followed are: > 1. If a user is trying to login from an IP that I've authorized ( listed > in a file) the request is authorized. > 2. If not, if the user is listed in a second file the request is > authorized. > 3. If also this check fails the request is rejected. > > I'm using PAM for passdb and a passwd-file for userdb: > > passdb { > driver = pam > args = session=yes failure_show_msg=yes max_requests=16 > cache_key=%u%r%l dovecot-%s > } > > userdb { > driver = passwd-file > args = /etc/passwd-dovecot > } > > > In /etc/pam.d/ there are two files: > dovecot-pop3 > dovecot-imap > > dovecot-pop3: > > #%PAM-1.0 > > @include common-auth > @include common-account > @include common-session > > (for this protocol everything works fine, I don't want to limit it.) > > > dovecot-imap: > > #%PAM-1.0 > > @include common-auth > > auth sufficient pam_listfile.so item=rhost sense=allow > file=/etc/dovecot/imaphosts onerr=fail > auth required pam_listfile.so item=user sense=allow > file=/etc/dovecot/imapusers onerr=fail > > @include common-account > @include common-session > > > If I'm not wrong, once the user is authenticated, PAM checks if the > remote IP address is in imaphosts; if it's true, > it returns PAM_SUCCESS and stops the execution of the auth block, else > if it's false, PAM executes the next line, verifying the presence of the > username in imapusers file; if found, then return PAM_SUCCESS, else fail. > > If this can work, I've a problem with pam_listfile.so and IP addresses: > I want to do something smarter than specifying 2^11 IP addresses instead > a /21 or IP/netmask > > Are there alternatives for doing it better? > > Thanks. > > Sincerely, > Simone Marx. >you may have a look at http://wiki.dovecot.org/Authentication/RestrictAccess Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein