> we have a very simple user-/passdb (like passwd) to authenticate virtual IMAP users. > We also use this for Postfix authentication. Nothing special. > > But, we need to exclude some of the users from IMAP login.> How could this be done?There's a facility to add arbitrary code to the imap login process, e.g., in "10-master.conf": service imap-postlogin { executable = script-login /local/bin/imap-wrapper user = $default_internal_user unix_listener imap-postlogin { } } In our case, "/local/bin/imap-wrapper" is a Perl script that checks the user's login shell, and if it is one of our "blocked" shells, returns: print "* NO [ALERT] Your account has expired, and access to it has been suspended. ".$msg_helpdesk_refer; exit 1; otherwise it execs the command given in its arguments. More info is at: https://doc.dovecot.org/admin_manual/post_login_scripting/ Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 anne at encs.concordia.ca +1 514 848-2424 x2285
> There's a facility to add arbitrary code to the imap login process, > e.g., in "10-master.conf": > > service imap-postlogin { > executable = script-login /local/bin/imap-wrapper > user = $default_internal_user > unix_listener imap-postlogin { > } > } >Just wondering: is there some sort of pre-login scripting facility for validation, as well as this post-login mechanism? I couldn't find anything like this in the Dovecot docs, but perhaps I missed something. I'd like to be able to have the IP address, the protocol, the user ID, and the password examined before even passing the request to the standard login mechanism, and I'd like to be able to reject the request even prior to login. And a nice-to-have would also be the ability to alter the request before it gets passed on to the login mechansim. Am I out of luck? -- hippoman at gmail.com Take a hippopotamus to lunch today. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220601/4f02369b/attachment.htm>