blob: b24be44f9463f45812655b13035e93d46bb247ac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
Restricting Access
==================
Restricting IMAP/POP3 access
----------------------------
Below examples show how you can give POP3 access to everyone, but IMAP access
only for some people. The exact solution you want depends on what passdb you
use. The solutions can also be modified for other types of IMAP/POP3/SMTP/etc.
access checks.
PAM
---
Set PAM service name to '%s', ie.:
---%<-------------------------------------------------------------------------
passdb {
driver = pam
args = %s
}
---%<-------------------------------------------------------------------------
That way PAM uses '/etc/pam.d/imap' for IMAP, and '/etc/pam.d/pop3' for POP3.
In '/etc/pam.d/imap' you could then use eg. the pam_listfile.so module:
---%<-------------------------------------------------------------------------
# allow IMAP access only for users in /etc/imapusers file
auth required pam_listfile.so item=user sense=allow
file=/etc/imapusers onerr=fail
---%<-------------------------------------------------------------------------
SQL
---
You can use the '%s' variable which expands to 'imap' or 'pop3' in
'password_query', eg:
---%<-------------------------------------------------------------------------
password_query = SELECT password FROM users WHERE userid = '%u' and not
(imap_allowed = false and '%s' = 'imap')
---%<-------------------------------------------------------------------------
LDAP
----
Just like with SQL, you can use '%s' in pass_filter, eg.:
---%<-------------------------------------------------------------------------
pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s))
---%<-------------------------------------------------------------------------
That would require setting both service=pop3 and service=imap attributes to the
user objects.
passwd-file
-----------
You can create a deny passwd-file based on the service:
---%<-------------------------------------------------------------------------
passdb {
driver = passwd-file
args = /etc/dovecot/deny.%s
deny = yes
}
---%<-------------------------------------------------------------------------
This makes Dovecot look for '/etc/dovecot/deny.imap' and
'/etc/dovecot/deny.pop3' files. If the user exists in it, the access is denied.
The files don't need to have anything else than one username per line.
Note that this deny passdb must be before other passdbs. It also means that it
can be used with any other passdb, not just with passwd-file passdbs.
Restricting IP Access
---------------------
It's possible to allow a user to authenticate only from a specific IP or
network. This is especially useful for master users. This can be done by
returning <allow_nets> [PasswordDatabase.ExtraFields.AllowNets.txt] extra field
in passdb.
(This file was created from the wiki on 2019-06-19 12:42)
|