Am 29.05.2013 10:37, schrieb Simone Marx :: Edinet Srl: > Hi, > I'm trying to config dovecot to enable IMAP protocol only for certain > IPs and users. > The logical steps I've followed are: > 1. If a user is trying to login from an IP that I've authorized ( listed > in a file) the request is authorized. > 2. If not, if the user is listed in a second file the request is > authorized. > 3. If also this check fails the request is rejected. > > I'm using PAM for passdb and a passwd-file for userdb: > > passdb { > driver = pam > args = session=yes failure_show_msg=yes max_requests=16 > cache_key=%u%r%l dovecot-%s > } > > userdb { > driver = passwd-file > args = /etc/passwd-dovecot > } > > > In /etc/pam.d/ there are two files: > dovecot-pop3 > dovecot-imap > > dovecot-pop3: > > #%PAM-1.0 > > @include common-auth > @include common-account > @include common-session > > (for this protocol everything works fine, I don't want to limit it.) > > > dovecot-imap: > > #%PAM-1.0 > > @include common-auth > > auth sufficient pam_listfile.so item=rhost sense=allow > file=/etc/dovecot/imaphosts onerr=fail > auth required pam_listfile.so item=user sense=allow > file=/etc/dovecot/imapusers onerr=fail > > @include common-account > @include common-session > > > If I'm not wrong, once the user is authenticated, PAM checks if the > remote IP address is in imaphosts; if it's true, > it returns PAM_SUCCESS and stops the execution of the auth block, else > if it's false, PAM executes the next line, verifying the presence of the > username in imapusers file; if found, then return PAM_SUCCESS, else fail. > > If this can work, I've a problem with pam_listfile.so and IP addresses: > I want to do something smarter than specifying 2^11 IP addresses instead > a /21 or IP/netmask > > Are there alternatives for doing it better? > > Thanks. > > Sincerely, > Simone Marx. >
you may have a look at http://wiki.dovecot.org/Authentication/RestrictAccess Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein