This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 2 and 3
Revision 2 as of 2006-10-15 19:52:42
Size: 1721
Editor: TimoSirainen
Comment:
Revision 3 as of 2006-11-05 15:36:55
Size: 1765
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 54: Line 54:
It's possible to allow user to authenticate only from a specific IP or network. This is especially useful for master users. This can be done by returning `allow_nets` extra field in passdb. It's possible to allow user to authenticate only from a specific IP or network. This is especially useful for master users. This can be done by returning [wiki:PasswordDatabase/ExtraFields/AllowNets allow_nets] extra field in passdb.

Restricting Access

Restricting IMAP access

If you want to give POP3 access to everyone, but IMAP access only for some people, you have to use passdb which allows selecting this.

PAM

Set PAM service name to *, ie.:

passdb pam {
  args = *
} 

That way PAM uses /etc/pam.d/imap for IMAP, and /etc/pam.d/pop3 for POP3.

In /etc/pam.d/imap you could then use eg. pam_listfile.so module:

# allow IMAP access only user only if it's in /etc/imapusers file
auth    required        pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail 

SQL

You can use %s variable which expands to imap or pop3 in password_query, eg:

password_query = SELECT password FROM users WHERE userid = '%u' and (imap_allowed = true or '%s' = 'pop3') 

LDAP

Just like with SQL, you can use %s in pass_filter, eg.:

pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s)) 

That would reqire having both service=pop3 and service=imap objects though. Maybe there are other ways, I'm not very good at LDAP.

passwd-file

You can create a deny passwd-file based on the service:

  passdb passwd-file {
    args = /etc/dovecot/deny.%Ls   
    deny = yes 
  } 

This makes Dovecot look for /etc/dovecot/deny.imap and /etc/dovecot/deny.pop3 files. If the user exists in it, the access is denied. The files don't need to have anything else than one username per line.

Restricting IP Access

It's possible to allow user to authenticate only from a specific IP or network. This is especially useful for master users. This can be done by returning [wiki:PasswordDatabase/ExtraFields/AllowNets allow_nets] extra field in passdb.

None: Authentication/RestrictAccess (last edited 2015-06-30 10:12:47 by d51525666)