1

It's easy to set up a special passdb query in dovecot to restrict IMAP access to certain users, e.g. see this documentation on the dovecot wiki.

But when I use a webmailer like Roundcube and want to allow every other user to use it (and not just the users I allowed to use IMAP per method above) this approach fails.

What would be a working configuration idea?

The webmailer is on the same server as dovecot. Maybe a special crafted SQL-passdb-statement along with a allow_nets extra field to the local address for all webmailer-only users? Or a special option in Roundcube itself?

initall
  • 2,325
  • 3
  • 18
  • 19

2 Answers2

1

You could do some sort of CASE statement in your MySQL query, based on the allow_nets field, something like SELECT password CASE WHEN allow_nets = '127.0.0.1' OR <whatever you're using> THEN allow_imap = 'true' ELSE allow_imap = 'false' END FROM users WHERE userid = '%u' and active='1'

Look into the CASE statement, I'm pretty sure mine won't actually work, but the idea should be solid.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • Thanks for the CASE statement suggestion. While you answered I tested a CLAUSE with the %r variable (I'll answer below). Let me (maybe superfluously) add that 'allow_imap' or imap_allowed have no special meaning for dovecot. In the wiki example they are used within the SQL condition itself (as a value of a column). – initall Apr 01 '14 at 09:21
  • Yeah, like I said, it wasn't functional, and I haven't looked at the DB structure in a while.. – NickW Apr 01 '14 at 09:27
  • No problem, it's a good suggestion. But it's good to not have to add complexity by extra fields and values for my many mailboxes. My SQL statement (the part you don't see in my answer) is right now too long anyway :) – initall Apr 01 '14 at 09:34
1

I found a way to not go into an extra_fields overhead and use a simple variable, '%r', instead. It resolves to the remote ip, so I can use something like

WHERE active = '1'\
   AND ('%s' = 'pop3' OR (imap_allowed = true OR '%r' = '1.2.3.4'))

The default case pop3 is tested first (via '%s') then

  1. who is always allowed to IMAP? (imap_allowed column in the table)
  2. or who uses the webmailer (remote ip == webmailer ip)
initall
  • 2,325
  • 3
  • 18
  • 19