dovecot - Apr 2022 - Auth by ip address

?Hi
 ?is possible authentication by ip address in dovecot?
 ? What i need.
 ?Now auth is by PAM (Active directory), i want application password 
(its plugin to Roundcube, passwords in mysql) for example android email 
client.
 ?I know that Multiple Authentication Databases work but i want when 
user auth from public network use sql and when from internal network use 
both sql and then pam.

thanks for help

Bukowski
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220408/b0a2f880/attachment.htm>

>  Hi
>  is possible authentication by ip address in dovecot?
>   What i need.
>  Now auth is by PAM (Active directory), i want application password (its
plugin
> to Roundcube, passwords in mysql) for  example android email client.
>  I know that Multiple Authentication Databases work but i want when user
auth
> from public network use sql and when from internal network use both sql and
> then pam.
> 
I recently I asked something similar (allow authentication without password for
a specific user name), and am looking to resolve this via pam modules. I think
the solution to your issue is going to be quite similar.
However, I am not sure what you are trying to do, and if what you are looking
for is even good. If you want to use roundecube. Why not just enable user imap
authentication?
I would say you really need to know what you are doing, when you start looking
at no authentication.

On 2022-04-08 12:29, Vlastimil Wagner wrote:
> Hi
>  is possible authentication by ip address in dovecot?
>   What i need.
>  Now auth is by PAM (Active directory), i want application password
> (its plugin to Roundcube, passwords in mysql) for  example android
> email client.
>  I know that Multiple Authentication Databases work but i want when
> user auth from public network use sql and when from internal network
> use both sql and then pam.
> 
> thanks for help
> 
> Bukowski
Hi there,

Check Dovecot post login scripting, refer to 
https://doc.dovecot.org/admin_manual/post_login_scripting/.

In post login script you can have access to $USER string, containing 
email address as well as Fields " returned by userdb lookup with their 
keys uppercased (e.g. if userdb returned home, it?s stored in HOME). "

E.g. use the following snippets in bash script, to perform additional 
authentication, and check first if $IP is present in a whitelist file 
i.e. internal then perform it.

You can retrieve PAM credentials for a "username" using:-
cat /etc/shadow | grep username

Retrieve user password from DB and make use
in following to generate its hash or instead of openssl use doveadm 
command if its more suitable:-
openssl passwd -1 -salt TrOIigLp PASSWORD

Retrieve password hash, algorithm and salt from PAM credentials string:-

Find way to compare the password hash with the generated one, I think 
its doable using python yet I have not tested by myself.

In bash script use following e.g. to pass the post login script 
authentication:-

if [[ $authenticated = true ] && [$IP_PRESENT = true]] ; then

    exec "$@"

elif [[ $IP_PRESENT = false ]]

    exec "$@"

else

    exit 0

fi

Any question please don't hesitate.

Zakaria.