BTW: the password query may be one solution to restrict clients, consult the dovecot documentation how you get the client-ip in the game and with a smart join 'Y' AS proxy and 'N' AS proxy may do what you need and a webinterface for such settings should be trivial
password_query = SELECT passwd as password, '127.0.0.1' as host, userid as
destuser, passwd AS pass, 'Y' AS
nologin, 'Y' AS nodelay, 'Y' AS proxy FROM dbmail_users WHERE userid='%u'
Am 01.02.2014 16:22, schrieb Reindl Harald:
> by defintion DBMail only can see the proxy IP because the client itself
> never touches it directly, so restritions of the origin IP belong to
> dovecot, below a working dovecot/dbmail-proxy config
>
> this one needs plaintext-passwords in the database because "auth_mechanisms"
> CRAM-MD5
> this small snippet before shows another benefit of such a setup with dovecot
>
> auth-caching and finally that makes it clear no direct connection
> client/dbmail
> in doubt that enforces security because you need a succesfull authentication
> to bypass any imap/pop3 command to the dbmail services
>
> passwords encrypted or not is a different discusssion, in my case there are
> hundrets
> of clients with configurations from 10 years ago where we did not have
> TSL/SSL at
> all and in that case offer CRAM-MD5 is more important and force them all to
> TLS
> impossible - frankly if someone is that deep on the server to access the
> user-table
> i have other problems as for sure random generated one-service passwords
>
> auth_cache_ttl = 600
> auth_cache_negative_ttl = 600
> auth_username_chars =
> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
> auth_username_translation =
> %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
> __________________________________________________________________________________
>
> [root@testserver:~]$ cat /etc/dovecot/sql.conf
> driver = mysql
> connect = host=/var/lib/mysql/mysqld_dbmail.sock dbname=dbmail
> user=dbmail password=***************
> password_query = SELECT passwd as password, '127.0.0.1' as host, userid
> as destuser, passwd AS pass, 'Y' AS
> nologin, 'Y' AS nodelay, 'Y' AS proxy FROM dbmail_users WHERE userid='%u'
> default_pass_scheme = plain
> __________________________________________________________________________________
>
> [root@testserver:~]$ cat /etc/dovecot/dovecot.conf
> # provided services
> protocols = imap pop3
>
> # configure ssl
> ssl = yes
> ssl_cert = </etc/postfix/certs/localhost.pem
> ssl_key = </etc/postfix/certs/localhost.pem
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2
> ssl_prefer_server_ciphers = yes
> ssl_parameters_regenerate = 0
>
> # configure imap-proxy
> service imap-login {
> inet_listener imap {
> address = <PUBLIC-IP>
> port = 143
> }
> inet_listener imaps {
> address = <PUBLIC-IP>
> port = 993
> }
> vsz_limit = 128M
> service_count = 0
> process_min_avail = 1
> process_limit = 1
> client_limit = 200
> }
>
> # configure pop3-proxy
> service pop3-login {
> inet_listener pop3 {
> address = <PUBLIC-IP>
> port = 110
> }
> inet_listener pop3s {
> address = <PUBLIC-IP>
> port = 995
> }
> vsz_limit = 128M
> service_count = 0
> process_min_avail = 1
> process_limit = 1
> client_limit = 200
> }
>
> # default settings
> imap_capability = IMAP4 IMAP4rev1 ACL RIGHTS=texk NAMESPACE
> CHILDREN SORT QUOTA
> THREAD=ORDEREDSUBJECT UNSELECT IDLE
> login_greeting =
> login_log_format_elements = %u %r %m %k
> login_log_format = %{login_status}: %s
> mail_max_userip_connections = 100
> auth_mechanisms = CRAM-MD5 DIGEST-MD5 SCRAM-SHA-1 APOP LOGIN
> PLAIN
> disable_plaintext_auth = no
> shutdown_clients = no
> version_ignore = yes
>
> # Logging
> syslog_facility = mail
>
> # authentication process
> auth_worker_max_count = 50
> auth_cache_size = 1024
> auth_cache_ttl = 600
> auth_cache_negative_ttl = 600
> auth_username_chars =
> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
> auth_username_translation =
> %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
>
> # debug options
> auth_debug = no
> auth_debug_passwords = no
> auth_verbose = no
> mail_debug = no
> verbose_ssl = no
>
> # configure proxy-database
> passdb {
> driver = sql
> args = /etc/dovecot/sql.conf
> }
>
> # we are not using local users
> userdb {
> driver = static
> args = static uid=10000 gid=10000 home=/dev/null
> }
>
> # configure backend for postfix sasl-auth
> service auth {
> unix_listener /var/spool/postfix/private/auth {
> mode = 0660
> user = postfix
> group = postfix
> }
> }
> __________________________________________________________________________________
>
> Am 01.02.2014 16:07, schrieb KT Walrus:
>> Thanks. If my dbmail IMAP server is behind a dovecot IMAP proxy, will the
>> usermap deny/allow IP addresses work?
>> Or, will dbmail see the IP address of the dovecot proxy and not be able to
>> see the clientip?
>>
>> If this is a problem, should I enforce the IP restrictions in dovecot proxy
>> and not use dbmail usermaps?
>>
>> On Jan 31, 2014, at 4:48 PM, Paul J Stevens <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>> On 31-01-14 16:45, KT Walrus wrote:
>>>> I only have one domain for my mail addresses, e.g.
>>>> [email protected] <mailto:[email protected]>.
>>>>
>>>> When I create a new account, should the userid be set to username and
>>>> a single alias created for [email protected]
>>>> <mailto:[email protected]> for this userid? Is
>>>> this the best way to set up new accounts?
>>>
>>> The userid is the login handle. Choose whatever you prefer. Users will
>>> generally expect to be able to login with their address. If the address
>>> equals the login, you don't need to add the alias. That would be redundant.
>>>>
>>>> I see the aliases table has a column called client_idnr. What is
>>>> this column used for?
>>>
>>> That field is in the users table. It's an archaeological anachronism
>>> that was never used, except by third-party users.
>>>
>>>>
>>>> I also want to set up IMAP/POP3 access to allow only IMAP/POP3 for a
>>>> certain group of users, and deny IMAP/POP3 access to all others
>>>> except from a Roundcube Mail installation on my website. I assume I
>>>> can do this using Usermaps feature, but I’m having a little
>>>> difficulty understanding the best way to set this up.
>>>>
>>>> What rows should I have in my usermaps table to implement this? Do I
>>>> need 4 rows per user to allow IMAP/POP3 access from the web or
>>>> Roundcube Mail servers or can I set things up such that there is a
>>>> group for the users and only add a couple of rows to grant access to
>>>> all users in the group?
>>>
>>> First set your default policy:
>>>
>>> login=ANY, sock_allow='inet:10.0.0.1:143'
>>>
>>> to allow any connection on a non-routed address - i.e. from roundcube.
>>>
>>> Block anyone else:
>>>
>>> login=ANY, sock_deny='inet:1.2.3.4:0'
>>>
>>> on the external public address
>>>
>>> Next set specific access for designated users:
>>>
>>> login='[email protected] <mailto:login='[email protected]>',
>>> sock_allow='inet:1.2.3.4:0'
>>> login='[email protected] <mailto:login='[email protected]>',
>>> sock_allow='inet:1.2.3.4.0'
>>>
>>> The match on ANY takes a lower precedence than the full login match.
>>> More specific CIDR blocks also take precedence over less specific ones.
>>>
>>>
>>>> Lastly, I want to have an admin IMAP user that can login (only from
>>>> localhost) and access/update/create/delete mailboxes for any existing
>>>> user using IMAP. What is the best way to set this up? I’ve been
>>>> assuming I need to set up an ACL for each user mailbox to allow the
>>>> admin user access, but I don’t think this will allow the admin user
>>>> to create/delete mailboxes (and autosubscribe the user to them). Is
>>>> there a way to set up a wildcard ACL (mailbox id 0?) to allow access
>>>> to the admin user to all mailboxes?
>>>
>>> Don't do that! Bad Idea! Don't use IMAP to casually grant access to
>>> other people's mailboxes. Integrity alert. Bad karma. Bad business. Just
>>> plain creepy, imo. And *very* bad security from someone who is worried
>>> about compute cycles in password cracks.
>>>
>>> You must have us confused with exchange
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DBmail mailing list [email protected] http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
