IMAPS only for some users.
Dan White
dwhite at olp.net
Tue Oct 5 09:45:22 EDT 2010
On 05/10/10 12:50 +0200, Josef Karliak wrote:
> Hi there,
> is it possible to allow imaps only for some users (accounts are in
>the passwd) ?
> I want to accept imaps from net for few special users. Others are
>authorized only over imap clients from local network.
You could create a unique imaps entry within your cyrus.conf config:
imapspasswd cmd="imapd -s" listen="imaps" prefork=0
Or if you can identify which network/ip such users will be connecting from,
you could further restrict it with:
imapspasswd cmd="imapd -s" listen="<ip-addr>:imaps" prefork=0
then within your imapd.conf, you'd configure:
imapspasswd_sasl_pwcheck_method: saslauthd
imapspasswd_sasl_mech_list: plain login
and then you would start, or configure, saslauthd with a '-a pam' option,
which would use pam service name 'imap' to authenticate users connecting on
that socket.
One potential problem with this approach is that some clients may attempt
to perform STARTTLS over port 143, rather than imaps over port 993. In that
case, you'd have to know that your users are connecting via a unique IP
addresses, like:
imaplocalnet cmd="imapd" listen="192.168.1.1:imap" prefork=0
imapextip cmd="imapd" listen="1.2.3.4:imap" prefork=0
And then you'd create:
imapextip_sasl_pwcheck_method: saslauthd
imapextip_sasl_mech_list: plain login
imaplocalnet_sasl_pwcheck_method: auxprop
imaplocalnet_sasl_auxprop_plugin: sasldb
(or whatever your existing sasl_ configuration is)
--
Dan White
More information about the Info-cyrus
mailing list