Re: [Dovecot] Dovecot + SASL + allow_nets
Andrew Garner schreef: On Dec 13, 2007 4:36 AM, Marc Cuypers [EMAIL PROTECTED] wrote: Andrew Garner schreef: Timo Sirainen schreef: On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. I wrote that patch. It passes both endpoints (remote local) through to dovecot .This lets you restrict smtp-auth just like pop3 or imap using the remote IP.In my case, I had played around with a quick hack for doing per-ip realming (using the local IP) w/ dovecot-sql. Hi Andrew, Where can i find the patch? Sorry for taking so long to respond.Here's the patch, attached. It's been tested against the Postfix 2.3/2.4 series, but not the 2.5.x non-production/development series.People have reported success on Postfix 2.4.6+. I'm not sure that it'll get accepted for the stable series, and I need to clean it up for 2.5 (which changed the dovecot xsasl plugin somewhat).I'll try to work on getting it integrated, since there seems to be some interest and no one else has submitted a better/any_other patch. Hi Andrew, I used the patch on debian/etch, postfix 2.3.8, and it seems to work. Thank you very much. -- Marc
Re: [Dovecot] Dovecot + SASL + allow_nets
On Dec 13, 2007 4:36 AM, Marc Cuypers [EMAIL PROTECTED] wrote: Andrew Garner schreef: Timo Sirainen schreef: On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. I wrote that patch. It passes both endpoints (remote local) through to dovecot .This lets you restrict smtp-auth just like pop3 or imap using the remote IP.In my case, I had played around with a quick hack for doing per-ip realming (using the local IP) w/ dovecot-sql. Hi Andrew, Where can i find the patch? -- Marc Sorry for taking so long to respond.Here's the patch, attached. It's been tested against the Postfix 2.3/2.4 series, but not the 2.5.x non-production/development series.People have reported success on Postfix 2.4.6+. I'm not sure that it'll get accepted for the stable series, and I need to clean it up for 2.5 (which changed the dovecot xsasl plugin somewhat).I'll try to work on getting it integrated, since there seems to be some interest and no one else has submitted a better/any_other patch. postfix_dovecot_xsasl_liprip.patch Description: Binary data
Re: [Dovecot] Dovecot + SASL + allow_nets
Andrew Garner schreef: Timo Sirainen schreef: On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. I wrote that patch. It passes both endpoints (remote local) through to dovecot .This lets you restrict smtp-auth just like pop3 or imap using the remote IP.In my case, I had played around with a quick hack for doing per-ip realming (using the local IP) w/ dovecot-sql. Hi Andrew, Where can i find the patch? -- Marc
Re: [Dovecot] Dovecot + SASL + allow_nets
Marc Cuypers, on 12/13/2007 5:36 AM, said the following: Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. I wrote that patch. It passes both endpoints (remote local) through to dovecot. This lets you restrict smtp-auth just like pop3 or imap using the remote IP. In my case, I had played around with a quick hack for doing per-ip realming (using the local IP) w/ dovecot-sql. Hi Andrew, Where can i find the patch? And more importantly, was it submitted to Wietse for possible integration with the source? I'd be interested in this functionality in the future, but I don't like manually applying patches (I'm not a programmer, yadda yadda)... -- Best regards, Charles
Re: [Dovecot] Dovecot + SASL + allow_nets
On Wed, 2007-12-05 at 15:23 +0100, Marc Cuypers wrote:
Timo Sirainen schreef:
On Mon, 2007-12-03 at 16:49 +0100, Marc Cuypers wrote:
What i meant was, is there a way to:
IMAP/POP3: authenticate with dovecot and checking for allow_nets
SASL (postfix): authenticate with dovecot without the checking for
allow_nets (just another pass_attrs)
Hmm. There's no easy way with LDAP. You'd need to either run a separate
Dovecot installation with a different config file, or alternatively have
separate accounts in LDAP for SMTP and non-SMTP (where only non-SMTP has
allow_nets).
In the configuration file there is a section 'auth default { }'. Is it
possible to have another section like 'auth smtp { }' where i declare
the client socket for postfix?
It's possible to create such section, but it doesn't do what you want.
I'm planning on fixing this for v2.0.
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] Dovecot + SASL + allow_nets
Noel Jones schreef: On Dec 3, 2007 7:36 AM, Marc Cuypers [EMAIL PROTECTED] wrote: Hi, When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? -- Best regards, Marc You can do this in postfix main.cf using the smtpd_sasl_exceptions_networks parameter. Normally this parameter lists networks *not* allowed to use AUTH, but you can exempt certain hosts by proceeding them with a !. Note that order matters, here; exceptions must come before the static:all entry. For example. to offer AUTH only to 192.0.2.0-192.0.2.255: # main.cf smtpd_sasl_exceptions_networks = !192.0.2.0/24 static:all See also http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks Or for an alternative method: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps OK, thanks, But it is not user related. I want some user to be able to SASL, others don't. -- Marc
Re: [Dovecot] Dovecot + SASL + allow_nets
On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot + SASL + allow_nets
On 3.12.2007, at 17.39, Marc Cuypers wrote: Timo Sirainen schreef: On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP- addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. Would it be possible to use a different authentication method for pop/imap and sasl? What do you mean by different authentication method? Also all of POP, IMAP and SMTP use SASL actually, so I guess by SASL you mean Postfix? http://wiki.dovecot.org/Sasl and http://wiki.dovecot.org/ Authentication/Mechanisms might be useful to read. In any case if you want to add some IP checks to SMTP authentication, there's no way to do that on Dovecot's side without changing Postfix. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Dovecot + SASL + allow_nets
Timo Sirainen schreef: On 3.12.2007, at 17.39, Marc Cuypers wrote: Timo Sirainen schreef: On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. Would it be possible to use a different authentication method for pop/imap and sasl? What do you mean by different authentication method? Also all of POP, IMAP and SMTP use SASL actually, so I guess by SASL you mean Postfix? http://wiki.dovecot.org/Sasl and http://wiki.dovecot.org/Authentication/Mechanisms might be useful to read. In any case if you want to add some IP checks to SMTP authentication, there's no way to do that on Dovecot's side without changing Postfix. What i meant was, is there a way to: IMAP/POP3: authenticate with dovecot and checking for allow_nets SASL (postfix): authenticate with dovecot without the checking for allow_nets (just another pass_attrs) -- Marc
Re: [Dovecot] Dovecot + SASL + allow_nets
Timo Sirainen schreef: On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. Would it be possible to use a different authentication method for pop/imap and sasl? -- Marc
Re: [Dovecot] Dovecot + SASL + allow_nets
On Mon, 2007-12-03 at 16:49 +0100, Marc Cuypers wrote: What i meant was, is there a way to: IMAP/POP3: authenticate with dovecot and checking for allow_nets SASL (postfix): authenticate with dovecot without the checking for allow_nets (just another pass_attrs) Hmm. There's no easy way with LDAP. You'd need to either run a separate Dovecot installation with a different config file, or alternatively have separate accounts in LDAP for SMTP and non-SMTP (where only non-SMTP has allow_nets). signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot + SASL + allow_nets
Timo Sirainen schreef: On Mon, 2007-12-03 at 14:36 +0100, Marc Cuypers wrote: When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? Since Postfix doesn't send the IP to Dovecot, there isn't anything on Dovecot's side you can do. You could try asking about this in Postfix list.. Someone at least had a patch which allowed sending local IP to Dovecot (http://marc.info/?t=119306971600010r=1w=2). Maybe it sends remote IP as well. I wrote that patch. It passes both endpoints (remote local) through to dovecot .This lets you restrict smtp-auth just like pop3 or imap using the remote IP.In my case, I had played around with a quick hack for doing per-ip realming (using the local IP) w/ dovecot-sql.
Re: [Dovecot] Dovecot + SASL + allow_nets
On Dec 3, 2007 7:36 AM, Marc Cuypers [EMAIL PROTECTED] wrote: Hi, When using dovecot for authentication of an SASL (postfix) request, i cannot use the allow_nets parameter. The IP-address of the requester is not known in dovecot. I would like to allow sasl for certain users, others are not allowed to access via SASL. Some users can have access to imap and pop3 from certain IP-addresses. How could i combine this in then dovecot configuration? -- Best regards, Marc You can do this in postfix main.cf using the smtpd_sasl_exceptions_networks parameter. Normally this parameter lists networks *not* allowed to use AUTH, but you can exempt certain hosts by proceeding them with a !. Note that order matters, here; exceptions must come before the static:all entry. For example. to offer AUTH only to 192.0.2.0-192.0.2.255: # main.cf smtpd_sasl_exceptions_networks = !192.0.2.0/24 static:all See also http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks Or for an alternative method: http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps -- Noel Jones
