lutz.niederer at gmx.net
2022-Jun-01 11:40 UTC
Restrict IMAP login, but allow Postfix SASL
Hi, we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special. But, we need to exclude some of the users from IMAP login. This means, some users should be allowed to send mail via Postfix (submission) and therefore authenticate via SASL against dovecot successfully, but they should not be allowed to login to their IMAP mail box. How could this be done? Thanks! -lutzn
allow_nets with `local,127.0.0.1/32` defined, should do the trick - this assumes you don?t have any webmail running on the same host, since that would still allow authentication. https://doc.dovecot.org/configuration_manual/authentication/allow_nets/ I use allow_nets to ?suspend? user logins, but allow LMTP to continue to function for example. On 1 Jun 2022, at 13:40, lutz.niederer at gmx.net<mailto:lutz.niederer at gmx.net> wrote: Hi, we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. We also use this for Postfix authentication. Nothing special. But, we need to exclude some of the users from IMAP login. This means, some users should be allowed to send mail via Postfix (submission) and therefore authenticate via SASL against dovecot successfully, but they should not be allowed to login to their IMAP mail box. How could this be done? Thanks! -lutzn -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220601/9504979c/attachment-0001.htm>
Paul Kudla (SCOM.CA Internet Services Inc.)
2022-Jun-01 11:59 UTC
Restrict IMAP login, but allow Postfix SASL
You really need to database your passwd auth sasl supports pgsql / mysql you can then alter the queries by selecting flags pending the access you want to allow dovecot-pgsql.conf password_query = SELECT username as user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u' user_query = SELECT home, uid, gid FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u' #iterate_query = SELECT user, password FROM email_users WHERE username = '%u' and password <> 'alias' and status = True and destination = '%u' iterate_query = SELECT "username" as user, domain FROM email_users WHERE status = True and alias_flag = False postfix smtpd.conf -> /usr/local/lib/sasl2/smtpd.conf #Postygres pwcheck_method: auxprop mech_list: PLAIN LOGIN auxprop_plugin: sql sql_engine: pgsql sql_hostnames: pg.scom.ca:5433 sql_database: scom_billing sql_user: xxxx sql_passwd: xxxx sql_select: SELECT password FROM email_users WHERE username = '%u@%r' and password <> 'alias' and currentcount_bad < 30 and status = True i use status to allow disabling the users ability to login but you can easily expand the select statement to include another flag for imap user(s) Happy Wednesday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main?1.866.411.7266 Fax?1.888.892.7266 Email?paul at scom.ca On 6/1/2022 7:40 AM, dovecot-bounces at dovecot.org wrote:> > Hi, > > we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. > We also use this for Postfix authentication. Nothing special. > > But, we need to exclude some of the users from IMAP login. > This means, some users should be allowed to send mail via Postfix (submission) and therefore > authenticate via SASL against dovecot successfully, but they should not be allowed to login > to their IMAP mail box. > > How could this be done? > > Thanks! > -lutzn > > >
Dne 01. 06. 22 v 13:40 lutz.niederer at gmx.net napsal(a):> Hi, > > we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. > We also use this for Postfix authentication. Nothing special. > > But, we need to exclude some of the users from IMAP login. > This means, some users should be allowed to send mail via Postfix (submission) and therefore > authenticate via SASL against dovecot successfully, but they should not be allowed to login > to their IMAP mail box. > > How could this be done? > > Thanks! > -lutzn > >Hi, would it be a valid option just not creating the mailbox for the "submission only" users? Technically they could login to imap, but they would not have the mailbox. -- Best regards Vladislav Kurz
> we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. > We also use this for Postfix authentication. Nothing special. > > But, we need to exclude some of the users from IMAP login.> How could this be done?There's a facility to add arbitrary code to the imap login process, e.g., in "10-master.conf": service imap-postlogin { executable = script-login /local/bin/imap-wrapper user = $default_internal_user unix_listener imap-postlogin { } } In our case, "/local/bin/imap-wrapper" is a Perl script that checks the user's login shell, and if it is one of our "blocked" shells, returns: print "* NO [ALERT] Your account has expired, and access to it has been suspended. ".$msg_helpdesk_refer; exit 1; otherwise it execs the command given in its arguments. More info is at: https://doc.dovecot.org/admin_manual/post_login_scripting/ Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 anne at encs.concordia.ca +1 514 848-2424 x2285
> On 1. Jun 2022, at 14.40, lutz.niederer at gmx.net wrote: > > Hi, > > we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. > We also use this for Postfix authentication. Nothing special. > > But, we need to exclude some of the users from IMAP login. > This means, some users should be allowed to send mail via Postfix (submission) and therefore > authenticate via SASL against dovecot successfully, but they should not be allowed to login > to their IMAP mail box. > > How could this be done?I would just configure a deny passdb inside protocol imap {} block with a list of users denied imap access. something like this: protocol imap { passdb { driver = passwd-file args = /etc/dovecot/imap-deny-passdb deny = yes } } Sami