dovecot - Apr 2019 - Feature request: exclude IP/network in allow_nets extra field

Dear all,

We use `allow_nets`[1] to restrict login clients, it works fine.
Recently we need to allow some users to login from everywhere except some
IP/networks, how can we accomplish this with "allow_nets"?

Tried allow_nets="!a.b.c.d", but Dovecot reports error
"allow_nets: Invalid network '!a.b.c.d'".

Can we have this feature?

i guess it should be done in function
"auth_request_validate_networks"[2] in file src/auth/auth-request.c.

[1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
[2]
https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990

On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot <dovecot at
dovecot.org> wrote:
> Recently we need to allow some users to login from everywhere except some
IP/networks,
Can you use firewall rules for this?
> how can we accomplish this with "allow_nets"?
Allow_nets specifies allowed networks. Doesn't say anything else about any
other use.

"The allow_nets field is a comma separated list of IP addresses and/or
networks where the user is allowed to log in from."

> On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot <dovecot at
dovecot.org> wrote:
> 
> On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot <dovecot at
dovecot.org> wrote:
>> Recently we need to allow some users to login from everywhere except
some IP/networks,
> 
> Can you use firewall rules for this?
I suppose not. We don't restrict ALL users this way, just few of them.
And the client IP addresses may change frequently, not static IPs.
>> how can we accomplish this with "allow_nets"?
> 
> Allow_nets specifies allowed networks. Doesn't say anything else about
any other use.
> 
> "The allow_nets field is a comma separated list of IP addresses and/or
networks where the user is allowed to log in from."
I understand what "allow" means. But it will be very handy to support
something like "!a.b.c.d" to allow all but just exclude few
IPs/networks. Isn't it? :)

> On 30 Apr 2019, at 4.56, Zhang Huangbin via dovecot <dovecot at
dovecot.org> wrote:
> 
> Dear all,
> 
> We use `allow_nets`[1] to restrict login clients, it works fine.
> Recently we need to allow some users to login from everywhere except some
IP/networks, how can we accomplish this with "allow_nets"?
> 
> Tried allow_nets="!a.b.c.d", but Dovecot reports error
"allow_nets: Invalid network '!a.b.c.d'".
> 
> Can we have this feature?

Just create another passdb for these premium users before the actual passdb and
add skip = authenticated to the actual passdb.

Sami

Hello, Zhang.

You can easily do this without a new feature in Dovecot.

- Create a post login script, for instance, in bash.
 - install grepcidr on your server.

Your post login script can use grepcidr to check for white or black list.

https://wiki.dovecot.org/PostLoginScripting

I have implemented this myself on a small open source project, I can send you
the links of you want.

Andr?.

Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot <dovecot at
dovecot.org>:
> Dear all,
>
> We use `allow_nets`[1] to restrict login clients, it works fine.
> Recently we need to allow some users to login from everywhere except some
IP/networks, how can we accomplish this with "allow_nets"?
>
> Tried allow_nets="!a.b.c.d", but Dovecot reports error
"allow_nets: Invalid network '!a.b.c.d'".
>
> Can we have this feature?
>
> i guess it should be done in function
"auth_request_validate_networks"[2] in file src/auth/auth-request.c.
>
> [1] allow_nets:
https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
> [2]
https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990

Sorry for the top posting, I have not setup my new phone yet.

Here the script sample:
https://github.com/progmaticltd/homebox/blob/dev/install/playbooks/roles/dovecot/files/access-check-whitelist.sh

Andr?.

Tue Apr 30 15:33:51 GMT+01:00 2019 andre <andre at rodier.me>:
>
> Hello, Zhang.
>
> You can easily do this without a new feature in Dovecot.
>
> - Create a post login script, for instance, in bash.
>  - install grepcidr on your server.
>
> Your post login script can use grepcidr to check for white or black list.
>
> https://wiki.dovecot.org/PostLoginScripting
>
> I have implemented this myself on a small open source project, I can send
you the links of you want.
>
> Andr?.
>
> Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot <dovecot
at dovecot.org>:
>
>> Dear all,
>>
>> We use `allow_nets`[1] to restrict login clients, it works fine.
>> Recently we need to allow some users to login from everywhere except
some IP/networks, how can we accomplish this with "allow_nets"?
>>
>> Tried allow_nets="!a.b.c.d", but Dovecot reports error
"allow_nets: Invalid network '!a.b.c.d'".
>>
>> Can we have this feature?
>>
>> i guess it should be done in function
"auth_request_validate_networks"[2] in file src/auth/auth-request.c.
>>
>> [1] allow_nets:
https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
>> [2]
https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990
>

> On Apr 30, 2019, at 2:35 PM, Sami Ketola via dovecot <dovecot at
dovecot.org> wrote:
> 
> Just create another passdb for these premium users before the actual passdb
and add skip = authenticated to the actual passdb.
Dear Sami,

Thank you for the suggestion.

Adding more passdb is not ideal at all, if we have more access policies, we
don't want to add more and more userdb/passdb.
Dovecot already supports syntax "allow_nets=a.b.c.d", we just need
something like "!" mark to exclude some IP/networks.

> On Apr 30, 2019, at 10:37 PM, andre via dovecot <dovecot at
dovecot.org> wrote:
> 
> You can easily do this without a new feature in Dovecot.
> 
> - Create a post login script, for instance, in bash.
> - install grepcidr on your server.
> 
> Your post login script can use grepcidr to check for white or black list.
> 
> https://wiki.dovecot.org/PostLoginScripting
Dear Andre,

Thank you very much for the input.

Post login script should work as you suggested, but consider Dovecot already
supports "allow_nets=a.b.c.d", we just need a mark like "!"
to exclude some IP/networks, this might be the best and most elegant solution
(if it can be implemented, of course), because we need only one userdb/passdb
for all users, just different "allow_nets" for access control. Not one
userdb/passdb for one each access policy.

Am 30.04.19 um 03:56 schrieb Zhang Huangbin via dovecot:
> Dear all,
> 
> We use `allow_nets`[1] to restrict login clients, it works fine.
> Recently we need to allow some users to login from everywhere except some
IP/networks, how can we accomplish this with "allow_nets"?
> 
> Tried allow_nets="!a.b.c.d", but Dovecot reports error
"allow_nets: Invalid network '!a.b.c.d'".
> 
> Can we have this feature?
> 
> i guess it should be done in function
"auth_request_validate_networks"[2] in file src/auth/auth-request.c.
I had a similar problem years ago. Usually on set defaults in a configuration
and overwrite per userdb entry
In my case the userdb was a ldap backend. I liked to limit specific users via
allow_nets and deny all other.
So I wrote a simple patch for src/auth/auth-request.c to set defaults in case my
ldap userdb do not return any overwriting.
Patch attached...

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: allow_nets_defaults.patch
Type: text/x-patch
Size: 923 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190501/10e1c07d/attachment.bin>