On 05/10/10 12:50 +0200, Josef Karliak wrote: > Hi there, > is it possible to allow imaps only for some users (accounts are in >the passwd) ? > I want to accept imaps from net for few special users. Others are >authorized only over imap clients from local network.
You could create a unique imaps entry within your cyrus.conf config: imapspasswd cmd="imapd -s" listen="imaps" prefork=0 Or if you can identify which network/ip such users will be connecting from, you could further restrict it with: imapspasswd cmd="imapd -s" listen="<ip-addr>:imaps" prefork=0 then within your imapd.conf, you'd configure: imapspasswd_sasl_pwcheck_method: saslauthd imapspasswd_sasl_mech_list: plain login and then you would start, or configure, saslauthd with a '-a pam' option, which would use pam service name 'imap' to authenticate users connecting on that socket. One potential problem with this approach is that some clients may attempt to perform STARTTLS over port 143, rather than imaps over port 993. In that case, you'd have to know that your users are connecting via a unique IP addresses, like: imaplocalnet cmd="imapd" listen="192.168.1.1:imap" prefork=0 imapextip cmd="imapd" listen="1.2.3.4:imap" prefork=0 And then you'd create: imapextip_sasl_pwcheck_method: saslauthd imapextip_sasl_mech_list: plain login imaplocalnet_sasl_pwcheck_method: auxprop imaplocalnet_sasl_auxprop_plugin: sasldb (or whatever your existing sasl_ configuration is) -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
