IMAPS only for some users.

Dan White dwhite at
Tue Oct 5 09:45:22 EDT 2010

On 05/10/10 12:50 +0200, Josef Karliak wrote:
>  Hi there,
>  is it possible to allow imaps only for some users (accounts are in 
>the passwd) ?
>  I want to accept imaps from net for few special users. Others are 
>authorized only over imap clients from local network.

You could create a unique imaps entry within your cyrus.conf config:

imapspasswd       cmd="imapd -s" listen="imaps" prefork=0

Or if you can identify which network/ip such users will be connecting from,
you could further restrict it with:

imapspasswd       cmd="imapd -s" listen="<ip-addr>:imaps" prefork=0

then within your imapd.conf, you'd configure:

imapspasswd_sasl_pwcheck_method: saslauthd
imapspasswd_sasl_mech_list: plain login

and then you would start, or configure, saslauthd with a '-a pam' option,
which would use pam service name 'imap' to authenticate users connecting on
that socket.

One potential problem with this approach is that some clients may attempt
to perform STARTTLS over port 143, rather than imaps over port 993. In that
case, you'd have to know that your users are connecting via a unique IP
addresses, like:

imaplocalnet    cmd="imapd" listen="" prefork=0
imapextip       cmd="imapd" listen="" prefork=0

And then you'd create:

imapextip_sasl_pwcheck_method: saslauthd
imapextip_sasl_mech_list: plain login

imaplocalnet_sasl_pwcheck_method: auxprop
imaplocalnet_sasl_auxprop_plugin: sasldb
(or whatever your existing sasl_ configuration is)

Dan White

More information about the Info-cyrus mailing list