Hi,
I'm trying to config dovecot to enable IMAP protocol only for certain
IPs and users.
The logical steps I've followed are:
1. If a user is trying to login from an IP that I've authorized (
listed in a file) the request is authorized.
2. If not, if the user is listed in a second file the request is
authorized.
3. If also this check fails the request is rejected.
I'm using PAM for passdb and a passwd-file for userdb:
passdb {
driver = pam
args = session=yes failure_show_msg=yes max_requests=16
cache_key=%u%r%l dovecot-%s
}
userdb {
driver = passwd-file
args = /etc/passwd-dovecot
}
In /etc/pam.d/ there are two files:
dovecot-pop3
dovecot-imap
dovecot-pop3:
#%PAM-1.0
@include common-auth
@include common-account
@include common-session
(for this protocol everything works fine, I don't want to limit it.)
dovecot-imap:
#%PAM-1.0
@include common-auth
auth sufficient pam_listfile.so item=rhost sense=allow
file=/etc/dovecot/imaphosts onerr=fail
auth required pam_listfile.so item=user sense=allow
file=/etc/dovecot/imapusers onerr=fail
@include common-account
@include common-session
If I'm not wrong, once the user is authenticated, PAM checks if the
remote IP address is in imaphosts; if it's true,
it returns PAM_SUCCESS and stops the execution of the auth block, else
if it's false, PAM executes the next line, verifying the presence of the
username in imapusers file; if found, then return PAM_SUCCESS, else
fail.
If this can work, I've a problem with pam_listfile.so and IP addresses:
I want to do something smarter than specifying 2^11 IP addresses instead
a /21 or IP/netmask
Are there alternatives for doing it better?
Thanks.
Sincerely,
Simone Marx.
