Zhang Huangbin
2019-Apr-30 01:56 UTC
Feature request: exclude IP/network in allow_nets extra field
Dear all, We use `allow_nets`[1] to restrict login clients, it works fine. Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"? Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'". Can we have this feature? i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c. [1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets [2] https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990
@lbutlr
2019-Apr-30 03:21 UTC
Feature request: exclude IP/network in allow_nets extra field
On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot <dovecot at dovecot.org> wrote:> Recently we need to allow some users to login from everywhere except some IP/networks,Can you use firewall rules for this?> how can we accomplish this with "allow_nets"?Allow_nets specifies allowed networks. Doesn't say anything else about any other use. "The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from."
Zhang Huangbin
2019-Apr-30 06:20 UTC
Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot <dovecot at dovecot.org> wrote: > > On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot <dovecot at dovecot.org> wrote: >> Recently we need to allow some users to login from everywhere except some IP/networks, > > Can you use firewall rules for this?I suppose not. We don't restrict ALL users this way, just few of them. And the client IP addresses may change frequently, not static IPs.>> how can we accomplish this with "allow_nets"? > > Allow_nets specifies allowed networks. Doesn't say anything else about any other use. > > "The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from."I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :)
Sami Ketola
2019-Apr-30 06:35 UTC
Feature request: exclude IP/network in allow_nets extra field
> On 30 Apr 2019, at 4.56, Zhang Huangbin via dovecot <dovecot at dovecot.org> wrote: > > Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'". > > Can we have this feature?Just create another passdb for these premium users before the actual passdb and add skip = authenticated to the actual passdb. Sami
Hello, Zhang. You can easily do this without a new feature in Dovecot. - Create a post login script, for instance, in bash. - install grepcidr on your server. Your post login script can use grepcidr to check for white or black list. https://wiki.dovecot.org/PostLoginScripting I have implemented this myself on a small open source project, I can send you the links of you want. Andr?. Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot <dovecot at dovecot.org>:> Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'". > > Can we have this feature? > > i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c. > > [1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets > [2] https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990
Sorry for the top posting, I have not setup my new phone yet. Here the script sample: https://github.com/progmaticltd/homebox/blob/dev/install/playbooks/roles/dovecot/files/access-check-whitelist.sh Andr?. Tue Apr 30 15:33:51 GMT+01:00 2019 andre <andre at rodier.me>:> > Hello, Zhang. > > You can easily do this without a new feature in Dovecot. > > - Create a post login script, for instance, in bash. > - install grepcidr on your server. > > Your post login script can use grepcidr to check for white or black list. > > https://wiki.dovecot.org/PostLoginScripting > > I have implemented this myself on a small open source project, I can send you the links of you want. > > Andr?. > > Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot <dovecot at dovecot.org>: > >> Dear all, >> >> We use `allow_nets`[1] to restrict login clients, it works fine. >> Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"? >> >> Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'". >> >> Can we have this feature? >> >> i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c. >> >> [1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets >> [2] https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990 >
Zhang Huangbin
2019-May-01 02:24 UTC
Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 2:35 PM, Sami Ketola via dovecot <dovecot at dovecot.org> wrote: > > Just create another passdb for these premium users before the actual passdb and add skip = authenticated to the actual passdb.Dear Sami, Thank you for the suggestion. Adding more passdb is not ideal at all, if we have more access policies, we don't want to add more and more userdb/passdb. Dovecot already supports syntax "allow_nets=a.b.c.d", we just need something like "!" mark to exclude some IP/networks.
Zhang Huangbin
2019-May-01 02:28 UTC
Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 10:37 PM, andre via dovecot <dovecot at dovecot.org> wrote: > > You can easily do this without a new feature in Dovecot. > > - Create a post login script, for instance, in bash. > - install grepcidr on your server. > > Your post login script can use grepcidr to check for white or black list. > > https://wiki.dovecot.org/PostLoginScriptingDear Andre, Thank you very much for the input. Post login script should work as you suggested, but consider Dovecot already supports "allow_nets=a.b.c.d", we just need a mark like "!" to exclude some IP/networks, this might be the best and most elegant solution (if it can be implemented, of course), because we need only one userdb/passdb for all users, just different "allow_nets" for access control. Not one userdb/passdb for one each access policy.
A. Schulze
2019-May-01 07:36 UTC
Feature request: exclude IP/network in allow_nets extra field
Am 30.04.19 um 03:56 schrieb Zhang Huangbin via dovecot:> Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'". > > Can we have this feature? > > i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c.I had a similar problem years ago. Usually on set defaults in a configuration and overwrite per userdb entry In my case the userdb was a ldap backend. I liked to limit specific users via allow_nets and deny all other. So I wrote a simple patch for src/auth/auth-request.c to set defaults in case my ldap userdb do not return any overwriting. Patch attached... Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: allow_nets_defaults.patch Type: text/x-patch Size: 923 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20190501/10e1c07d/attachment.bin>
Possibly Parallel Threads
- Feature request: exclude IP/network in allow_nets extra field
- allow_nets + default + ldap
- Feature request: exclude IP/network in allow_nets extra field
- Feature request: exclude IP/network in allow_nets extra field
- Feature request: exclude IP/network in allow_nets extra field