Re: Feature request: exclude IP/network in allow_nets extra field
Am 30.04.19 um 03:56 schrieb Zhang Huangbin via dovecot: > Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some > IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid > network '!a.b.c.d'". > > Can we have this feature? > > i guess it should be done in function "auth_request_validate_networks"[2] in > file src/auth/auth-request.c. I had a similar problem years ago. Usually on set defaults in a configuration and overwrite per userdb entry In my case the userdb was a ldap backend. I liked to limit specific users via allow_nets and deny all other. So I wrote a simple patch for src/auth/auth-request.c to set defaults in case my ldap userdb do not return any overwriting. Patch attached... Andreas Description: additional defaults for allow_nets Author: A. Schulze --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: dovecot-2.3.6/src/auth/auth-request.c === --- dovecot-2.3.6.orig/src/auth/auth-request.c +++ dovecot-2.3.6/src/auth/auth-request.c @@ -1775,6 +1775,16 @@ auth_request_validate_networks(struct au unsigned int bits; bool found = FALSE; + if (strcmp(networks, "ALL") == 0) { + auth_request_log_debug(request, "auth", "allow_nets: found 'ALL'"); + request->failed = FALSE; + return; + } + if (strcmp(networks, "NONE") == 0) { + auth_request_log_debug(request, "auth", "allow_nets: found 'NONE'"); + request->failed = TRUE; + return; + } for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) { auth_request_log_debug(request, AUTH_SUBSYS_DB, "%s: Matching for network %s", name, *net);
Re: Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 10:37 PM, andre via dovecot wrote: > > You can easily do this without a new feature in Dovecot. > > - Create a post login script, for instance, in bash. > - install grepcidr on your server. > > Your post login script can use grepcidr to check for white or black list. > > https://wiki.dovecot.org/PostLoginScripting Dear Andre, Thank you very much for the input. Post login script should work as you suggested, but consider Dovecot already supports "allow_nets=a.b.c.d", we just need a mark like "!" to exclude some IP/networks, this might be the best and most elegant solution (if it can be implemented, of course), because we need only one userdb/passdb for all users, just different "allow_nets" for access control. Not one userdb/passdb for one each access policy.
Re: Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 2:35 PM, Sami Ketola via dovecot > wrote: > > Just create another passdb for these premium users before the actual passdb > and add skip = authenticated to the actual passdb. Dear Sami, Thank you for the suggestion. Adding more passdb is not ideal at all, if we have more access policies, we don't want to add more and more userdb/passdb. Dovecot already supports syntax "allow_nets=a.b.c.d", we just need something like "!" mark to exclude some IP/networks.
Re: Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 2:32 PM, Malcolm via dovecot wrote: > > On 4/29/2019 11:20 PM, Zhang Huangbin via dovecot wrote: >> I understand what "allow" means. But it will be very handy to support >> something like "!a.b.c.d" to allow all but just exclude few >> IPs/networks. Isn't it? :) > I'm not sure why: > > iptables -A INPUT -p tcp --match multiport --syn ! -s a.b.c.d/netmask \ > --dports 110,143,993,995 -j REJECT Dear Malcolm, Thanks for your reply. As mentioned earlier, this per-user access control, not for all users. This firewall rule blocks all users, not just few users.
Re: Re: Feature request: exclude IP/network in allow_nets extra field
Sorry for the top posting, I have not setup my new phone yet. Here the script sample: https://github.com/progmaticltd/homebox/blob/dev/install/playbooks/roles/dovecot/files/access-check-whitelist.sh André. Tue Apr 30 15:33:51 GMT+01:00 2019 andre : > > Hello, Zhang. > > You can easily do this without a new feature in Dovecot. > > - Create a post login script, for instance, in bash. > - install grepcidr on your server. > > Your post login script can use grepcidr to check for white or black list. > > https://wiki.dovecot.org/PostLoginScripting > > I have implemented this myself on a small open source project, I can send you > the links of you want. > > André. > > Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot > : > >> Dear all, >> >> We use `allow_nets`[1] to restrict login clients, it works fine. >> Recently we need to allow some users to login from everywhere except some >> IP/networks, how can we accomplish this with "allow_nets"? >> >> Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid >> network '!a.b.c.d'". >> >> Can we have this feature? >> >> i guess it should be done in function "auth_request_validate_networks"[2] in >> file src/auth/auth-request.c. >> >> [1] allow_nets: >> https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets >> [2] >> https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990 >
Re: Feature request: exclude IP/network in allow_nets extra field
Hello, Zhang. You can easily do this without a new feature in Dovecot. - Create a post login script, for instance, in bash. - install grepcidr on your server. Your post login script can use grepcidr to check for white or black list. https://wiki.dovecot.org/PostLoginScripting I have implemented this myself on a small open source project, I can send you the links of you want. André. Tue Apr 30 02:57:18 GMT+01:00 2019 Zhang Huangbin via dovecot : > Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some > IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid > network '!a.b.c.d'". > > Can we have this feature? > > i guess it should be done in function "auth_request_validate_networks"[2] in > file src/auth/auth-request.c. > > [1] allow_nets: > https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets > [2] > https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a9950/src/auth/auth-request.c#L1990
Re: Feature request: exclude IP/network in allow_nets extra field
On 30 Apr 2019, at 00:20, Zhang Huangbin via dovecot wrote: > On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot wrote: >> >> On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot >> wrote: >>> Recently we need to allow some users to login from everywhere except some >>> IP/networks, >> >> Can you use firewall rules for this? > > I suppose not. We don't restrict ALL users this way, just few of them. This iOS sounding odder and odder. > And the client IP addresses may change frequently, not static IPs. And? How is that an issue? Either way you are going to have to change a configuration. At least with a fireball, you don't have to reload dovecot each time. >>> how can we accomplish this with "allow_nets"? >> >> Allow_nets specifies allowed networks. Doesn't say anything else about any >> other use. >> >> "The allow_nets field is a comma separated list of IP addresses and/or >> networks where the user is allowed to log in from." > > I understand what "allow" means. But it will be very handy to support > something like "!a.b.c.d" to allow all but just exclude few IPs/networks. > Isn't it? :) I cannot imagine a case where I would find this useful, no. -- "You never really understand a person until you see things from his point of view, until you climb inside of his skin and walk around in it."
Re: Feature request: exclude IP/network in allow_nets extra field
> On 30 Apr 2019, at 4.56, Zhang Huangbin via dovecot > wrote: > > Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some > IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid > network '!a.b.c.d'". > > Can we have this feature? Just create another passdb for these premium users before the actual passdb and add skip = authenticated to the actual passdb. Sami
Re: Feature request: exclude IP/network in allow_nets extra field
On 4/29/2019 11:20 PM, Zhang Huangbin via dovecot wrote: I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :) I'm not sure why: iptables -A INPUT -p tcp --match multiport --syn ! -s a.b.c.d/netmask \ --dports 110,143,993,995 -j REJECT doesn't do what you want. Or do you want some kind of "friendlier" message to be provided once the user(s) login from the blocked IP#s to tell them why they can't login? =M=
Re: Feature request: exclude IP/network in allow_nets extra field
> On Apr 30, 2019, at 11:21 AM, @lbutlr via dovecot wrote: > > On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot > wrote: >> Recently we need to allow some users to login from everywhere except some >> IP/networks, > > Can you use firewall rules for this? I suppose not. We don't restrict ALL users this way, just few of them. And the client IP addresses may change frequently, not static IPs. >> how can we accomplish this with "allow_nets"? > > Allow_nets specifies allowed networks. Doesn't say anything else about any > other use. > > "The allow_nets field is a comma separated list of IP addresses and/or > networks where the user is allowed to log in from." I understand what "allow" means. But it will be very handy to support something like "!a.b.c.d" to allow all but just exclude few IPs/networks. Isn't it? :)
Re: Feature request: exclude IP/network in allow_nets extra field
On 29 Apr 2019, at 19:56, Zhang Huangbin via dovecot wrote: > Recently we need to allow some users to login from everywhere except some > IP/networks, Can you use firewall rules for this? > how can we accomplish this with "allow_nets"? Allow_nets specifies allowed networks. Doesn't say anything else about any other use. "The allow_nets field is a comma separated list of IP addresses and/or networks where the user is allowed to log in from."