On 2022-04-08 12:29, Vlastimil Wagner wrote:> Hi
> is possible authentication by ip address in dovecot?
> What i need.
> Now auth is by PAM (Active directory), i want application password
> (its plugin to Roundcube, passwords in mysql) for example android
> email client.
> I know that Multiple Authentication Databases work but i want when
> user auth from public network use sql and when from internal network
> use both sql and then pam.
>
> thanks for help
>
> Bukowski
Hi there,
Check Dovecot post login scripting, refer to
https://doc.dovecot.org/admin_manual/post_login_scripting/.
In post login script you can have access to $USER string, containing
email address as well as Fields " returned by userdb lookup with their
keys uppercased (e.g. if userdb returned home, it?s stored in HOME). "
E.g. use the following snippets in bash script, to perform additional
authentication, and check first if $IP is present in a whitelist file
i.e. internal then perform it.
You can retrieve PAM credentials for a "username" using:-
cat /etc/shadow | grep username
Retrieve user password from DB and make use
in following to generate its hash or instead of openssl use doveadm
command if its more suitable:-
openssl passwd -1 -salt TrOIigLp PASSWORD
Retrieve password hash, algorithm and salt from PAM credentials string:-
Find way to compare the password hash with the generated one, I think
its doable using python yet I have not tested by myself.
In bash script use following e.g. to pass the post login script
authentication:-
if [[ $authenticated = true ] && [$IP_PRESENT = true]] ; then
exec "$@"
elif [[ $IP_PRESENT = false ]]
exec "$@"
else
exit 0
fi
Any question please don't hesitate.
Zakaria.