On 16/3/23 06:31, Aymeric Agon-Rambosson wrote:> > I have a solution to my problem. > > For reference, I am putting it here : > > > A simple way to restrict login based on uids is to modify the file as > such : > > #%PAM-1.0 > > auth??? required??????? pam_succeed_if.so uid > 500 quiet > @include common-auth > @include common-account > @include common-session > >It is possible for dovecot sasl component to use different authorisation back-ends, such as LDAP, GSSAPI, MySQL etc. These do not necessarily have the ability to reject uid < 500. However, generally, these backends can be used by pam as well. In default debian installations: cat dovecot #%PAM-1.0 #auth required pam_faillock.so preauth silent audit #auth [default=die] pam_faillock.so authfail audit @include common-auth @include common-account @include common-session cat common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.).? The default is to use the # traditional Unix authentication mechanisms. A good practice would be to use? postfix --> dovecot/sasl --> pam --> backend server and do the uid vetting in the dovecot pam configuration -- Jeremy
> On 16/03/2023 03:58 EET jeremy ardley <jeremy at ardley.org> wrote: > > > On 16/3/23 06:31, Aymeric Agon-Rambosson wrote: > > > > I have a solution to my problem. > > > > For reference, I am putting it here : > > > > > > A simple way to restrict login based on uids is to modify the file as > > such : > > > > #%PAM-1.0 > > > > auth??? required??????? pam_succeed_if.so uid > 500 quiet > > @include common-auth > > @include common-account > > @include common-session > > > > > > It is possible for dovecot sasl component to use different authorisation > back-ends, such as LDAP, GSSAPI, MySQL etc. These do not necessarily > have the ability to reject uid < 500. > > However, generally, these backends can be used by pam as well. In > default debian installations: > > cat dovecot > #%PAM-1.0 > > #auth required pam_faillock.so preauth silent audit > #auth [default=die] pam_faillock.so authfail audit > > @include common-auth > @include common-account > @include common-session > > cat common-auth > > # > # /etc/pam.d/common-auth - authentication settings common to all services > # > # This file is included from other service-specific PAM config files, > # and should contain a list of the authentication modules that define > # the central authentication scheme for use on the system > # (e.g., /etc/shadow, LDAP, Kerberos, etc.).? The default is to use the > # traditional Unix authentication mechanisms. > > > A good practice would be to use? postfix --> dovecot/sasl --> pam --> > backend server and do the uid vetting in the dovecot pam configuration >Dovecot itself can reject uid < 500. Just set first_valid_uid = 500 and first_valid_gid = 500. Aki> -- > > Jeremy