Zhang Huangbin
2019-Apr-30 06:20 UTC
Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot <dovecot at dovecot.org> wrote: > > On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot <dovecot at dovecot.org> wrote: >> Recently we need to allow some users to login from everywhere except some IP/networks, > > Can you use firewall rules for this?I suppose not. We don't restrict ALL users this way, just few of them. And the client IP addresses may change frequently, not static IPs.>> how can we accomplish this with "allow_nets"? > > Allow_nets specifies allowed networks. Doesn't say anything else about any other use. > > "The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from."I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :)
Malcolm
2019-Apr-30 06:32 UTC
Feature request: exclude IP/network in allow_nets extra field
On 4/29/2019 11:20 PM, Zhang Huangbin via dovecot wrote:> I understand what "allow" means. But it will be very handy to > support something like "!a.b.c.d" to allow all but just exclude few > IPs/networks. Isn't it? :)I'm not sure why: iptables -A INPUT -p tcp --match multiport --syn ! -s a.b.c.d/netmask \ --dports 110,143,993,995 -j REJECT doesn't do what you want. Or do you want some kind of "friendlier" message to be provided once the user(s) login from the blocked IP#s to tell them why they can't login? =M=
@lbutlr
2019-Apr-30 09:39 UTC
Feature request: exclude IP/network in allow_nets extra field
On 30 Apr 2019, at 00:20, Zhang Huangbin via dovecot <dovecot at dovecot.org> wrote:> On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot <dovecot at dovecot.org> wrote: >> >> On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot <dovecot at dovecot.org> wrote: >>> Recently we need to allow some users to login from everywhere except some IP/networks, >> >> Can you use firewall rules for this? > > I suppose not. We don't restrict ALL users this way, just few of them.This iOS sounding odder and odder.> And the client IP addresses may change frequently, not static IPs.And? How is that an issue? Either way you are going to have to change a configuration. At least with a fireball, you don't have to reload dovecot each time.>>> how can we accomplish this with "allow_nets"? >> >> Allow_nets specifies allowed networks. Doesn't say anything else about any other use. >> >> "The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from." > > I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :)I cannot imagine a case where I would find this useful, no. -- "You never really understand a person until you see things from his point of view, until you climb inside of his skin and walk around in it."
Zhang Huangbin
2019-May-01 02:21 UTC
Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 2:32 PM, Malcolm via dovecot <dovecot at dovecot.org> wrote: > > On 4/29/2019 11:20 PM, Zhang Huangbin via dovecot wrote: >> I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few >> IPs/networks. Isn't it? :) > I'm not sure why: > > iptables -A INPUT -p tcp --match multiport --syn ! -s a.b.c.d/netmask \ > --dports 110,143,993,995 -j REJECTDear Malcolm, Thanks for your reply. As mentioned earlier, this per-user access control, not for all users. This firewall rule blocks all users, not just few users.
Maybe Matching Threads
- Feature request: exclude IP/network in allow_nets extra field
- Feature request: exclude IP/network in allow_nets extra field
- Feature request: exclude IP/network in allow_nets extra field
- Feature request: exclude IP/network in allow_nets extra field
- Feature request: exclude IP/network in allow_nets extra field