Hi,

Let me ask a more specific question.

What I would like to configure, is:

• for our internal users to use their regular AD usernam/passwords, just as everybody can currently do.

but, new:

• for external users, to ONLY be allowed to use an application specific password. (or username and password, fine as well)

Step one: making ldap password authentication valid only from our internal network. I though: using allow_nets=192.168.1.0/24 for that passdb

But I can't get that to work. :-( Unsure where exactly to define the allow_nets, tried many variations on the theme already.

Perhaps someone can help with the step one, and also tell me if the approach outlined above is smart, valid and do-able in dovecot.

Here are our sanitised configs:

root@mails:/etc/dovecot# doveconf -n

2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf

Pigeonhole version 0.4.16 (fed8554)

OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs

auth_debug = yes auth_failure_delay = 2 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = plain debug_log_path = /var/log/dovecot/dovecot.debug deliver_log_format = %f | %s | msgid=%m: %$ disable_plaintext_auth = no info_log_path = /var/log/dovecot/dovecot.info lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.err login_greeting = Dovecot ready. mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap skip = authenticated } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_ca = </etc/ssl/comodo/chain.crt ssl_cert = </etc/ssl/comodo/server.crt ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_proctitle = yes protocol lda { mail_plugins = acl lazy_expunge zlib quota mail_log notify sieve quota } protocol imap { imap_max_line_length = 2 M mail_max_userip_connections = 30 mail_plugins = acl lazy_expunge zlib quota mail_log notify imap_quota imap_acl }

and our dovecot-ldap.conf.ext:

hosts = ldap1 ldap2 ldap3 dn = cn=search,cn=.... dnpass = secretashell tls = no debug_level = 0 auth_bind = yes base = CN=Users, DC=..... scope = subtree user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24 user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) iterate_attrs = sAMAccountName=user iterate_filter = (objectClass=person)

MJ

• mj [2017-07-20 21:46]:

Hi Kirill,

Thanks for your reply. Such a simple flat file approach would be perfect, and I don't mind at all to require app specific usernames *and* passwords.

In my case it's flat file, but this is easily doable with SQL as well, using a separate table for login/password and a key to a table with appropriate user data.

However, I am unsure how to combine your recipe below with our regular AD userdb/passdb.

Unfortunately, I'm not familiar with AD....

Perhaps someone can give me some pointers in that direction?

MJ

On 07/20/2017 06:50 PM, Kirill Miazine wrote:

...

I'm not familiar with samba AD and with it's features and limitation. For my simple system I'm using plain files for passdb and userdb (aka. passwd-file). Application (or rather device) specific passwords are implementing by using having an additional "username" with a specific password for a particular application or device. E.g. some entries for myself:

 bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M
 kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M
 sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M
 workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M

The files are generated automatically from a Single Source of Truth.

In my case I'm selecting the username myself, but there's nothing preventing you from generating a username/password combination for your users.

Note that in my setup users will have application specific username and password, not only application specific password. It was easier to implement it quickly this way.

Greetz Kirill

-- -- Kirill Miazine <km@krot.org>