Am 30.04.19 um 03:56 schrieb Zhang Huangbin via dovecot: > Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some > IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid > network '!a.b.c.d'". > > Can we have this feature? > > i guess it should be done in function "auth_request_validate_networks"[2] in > file src/auth/auth-request.c.
I had a similar problem years ago. Usually on set defaults in a configuration and overwrite per userdb entry In my case the userdb was a ldap backend. I liked to limit specific users via allow_nets and deny all other. So I wrote a simple patch for src/auth/auth-request.c to set defaults in case my ldap userdb do not return any overwriting. Patch attached... Andreas
Description: additional defaults for allow_nets Author: A. Schulze --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: dovecot-2.3.6/src/auth/auth-request.c =================================================================== --- dovecot-2.3.6.orig/src/auth/auth-request.c +++ dovecot-2.3.6/src/auth/auth-request.c @@ -1775,6 +1775,16 @@ auth_request_validate_networks(struct au unsigned int bits; bool found = FALSE; + if (strcmp(networks, "ALL") == 0) { + auth_request_log_debug(request, "auth", "allow_nets: found 'ALL'"); + request->failed = FALSE; + return; + } + if (strcmp(networks, "NONE") == 0) { + auth_request_log_debug(request, "auth", "allow_nets: found 'NONE'"); + request->failed = TRUE; + return; + } for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) { auth_request_log_debug(request, AUTH_SUBSYS_DB, "%s: Matching for network %s", name, *net);