0

I installed the dovecot-imapd package in Ubuntu, and my setup is as follows:

$ sudo dovecot -n
# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-27-generic-pae i686 Ubuntu 10.04.1 LTS 
log_timestamp: %Y-%m-%d %H:%M:%S 
protocols: imaps
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mbox_write_locks: fcntl dotlock
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd

For security reasons I would like to deny all users that are in the admin group ability to do imap login via dovecot. This is done in order to prevent a brute force attacker from discovering the admin passwords, and obtaining administrator privileges on the system.

How can this be achieved? Presumably, I will have to modify some settings in /etc/dovecot/dovecot.conf, but I am hesitant to change the default settings lest I create other security vulnerabilities.

EEAA
  • 109,363
  • 18
  • 175
  • 245
D R
  • 143
  • 1
  • 5

1 Answers1

1

It looks like you've got Dovecot configured to use pam. This suggests that in /etc/pam.d you will probably find a file called dovecot that contains dovecot's authentication configuration. You can put any pam modules here, including pam_listfile, which would let you deny services if a user is a member of a specific group. The pam_listfile man page has some examples that might help out.

larsks
  • 43,623
  • 14
  • 121
  • 180