How-to: Disable imap/pop3 for a particular user

smtalk

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
10,628
Location
LT, EU
Edit /etc/dovecot.conf, find:
Code: 
mechanisms = plain
after it, add:
Code: 
passdb passwd-file {
    args = /etc/dovecot-deny.%Ls
    deny = yes
  }
Now use the following script to disable IMAP (or POP3 (replace IMAP with POP3 in the script)) access (usage: ./script allow/deny usename pop3/imap):
Code: 
#!/bin/sh
#
# Script used to deny IMAP/POP3 access for a particular user

show_help()
{
  echo "IMAP allow/deny script.";
  echo "";
  echo "Usage: $0 allow/deny username pop3/imap";
  echo "";
}

if [ $# -eq 3 ]; then
  echo "Using $2."
else
  show_help;
  exit 1;
fi

OS=`uname`;

if [ $1 = "allow" ]; then
        OPTION=allow
else
        OPTION=deny
fi

USER=$2

ACCESS=$3

if [ "${ACCESS}" != "imap" ] && [ "${ACCESS}" != "pop3" ]; then
  echo "Wrong access type speficied: ${ACCESS}"
  exit 1;
else
  DENYFILE=/etc/dovecot-deny.${ACCESS}
  if [ ! -e ${DENYFILE} ]; then
    touch ${DENYFILE}
  fi
fi

if [ ! -d /home/${USER} ]; then
        echo "User ${USER} does not exist."
        exit 1;
fi

if [ ${OPTION} = "allow" ]; then
  if [ "`grep -c \"${USER}\" ${DENYFILE}`" = "0" ]; then
    echo "User ${USER} is already allowed.";
    exit 1;
  fi
  perl -pi -e "s/${USER}\n//g" ${DENYFILE}
fi

if [ ${OPTION} = "deny" ]; then
  if [ "`grep -c \"${USER}\" ${DENYFILE}`" = "1" ]; then
    echo "User ${USER} is already denied.";
    exit 1;
  fi
  echo "$USER" >> ${DENYFILE}
fi

exit 0;
 
Last edited:
Code: 
./script allow username pop3/imap
 
Last edited:
Sorry if this is a rather obvious question, but just wanted to make sure I understood usage of this properly before "playing" on a live server.... :)

Step 1
Edit /etc/dovecot.conf, find:............

Ok, I get that bit.


Step 2
after it, add:
Code: 
passdb passwd-file {
    args = /etc/dovecot-deny.%Ls
    deny = yes
  }
So, assuming my goal is to block imap for specified users, I would create a file called "/etc/dovecot-deny.imap"?
And just to be 100%, the users within that file are those that will be blocked/denied? My concern was that I end up blocking all the wrong people when implementing this... :(



Step 3
Now use the following script to........
Again, bit of an idiot guide here, but I save that code as a script somewhere .
If I want to DENY/BLOCK a user, then I would type;

Code: 
./script allow/deny username pop3/imap



Just to clarify, the "username" - Is that the email user name or the DA/cent account/user username?

If DA/cent account/user name, can you limit specific users? If its the email username, does it need the full [email protected]? (Assuming it does, but while Im asking basic questions, will get it out the way..)

Any by implementing Step 1 and Step 2 it wont actually do anything until I use the script or manually edit the dovecot-deny.imap file? (Will use the script as it would be quicker than I could do it, but just curious really) Or does the file need to have a list of usernames to allow AND deny?

At worst, deleting or removing the dovecot-deny.pop3/imap will in effect automatically allow everyone by default? Would a mail server restart be required in order to apply changed to the conf file?


Apologies very basic, but learnt the hard way before by not understanding so decided to play safe this time. :)
 
Last edited:
Well, being impatient as I am I decided to have a crack.

Modified the dovecot.conf file, but had to modify the code to the following for it work;

Code: 
passdb {
    args = /etc/dovecot-deny.%Ls
    driver = passwd-file
    deny = yes
  }


I then created 2 files in /etc/ - 1) dovecot-deny.imap 2)dovecot-deny.pop3

(I know I didn't really need to create the pop3 one as its empty anyway)


Tried different usernames/account and then realised it had to be the actual email account. So added my work email (i.e. [email protected]) into line 1 of my dovecot-deny.imap file and bam, no IMAP connection.

I haven't used the script as yet, but may play with that later. For the moment, it has allowed me to achieve what I wanted to, which was to stop 4 accounts from accessing IMAP.

The 4 email accounts are added into the file, one per line, which seems to be working perfic.


Couple of questions though,

1) What is the easiest way to block a DA user account/all emails for one domain from IMAP?

2) Is there a way to reverse it, so I can deny everyone from IMAP and just have a user list through the dovecot.conf file, or would I have to do that with PAM?


(Just for explanation, I run a modest VPS and as Im conscious of the fact that many people will use email as a means of storage rather than communication and let their mailbox sizes grow to the GB size, I generally either tell customers its pop3 and thats it, or just set up a forward to their gmail/yahoo/msn account. As the majority of my work is website design for tradesmen and small businesses I can get away with it. Less data storage, less cost and less data to backup = easier, and less time to do it and less work for my server keeping it quick! :D )
 
Last edited:
Is this method still valid in 2021 to disable imap/pop3 for a particular user?

Would like that DA could have this function built in to the GUI.
 
For interest/experiment -

It works in Dovecot 2.3.20 (DA 1.648) CL7 environment.

vi /etc/dovecot/conf/custom_passdb.conf , and add -

Code: 
passdb {
  driver = passwd-file
  args = /etc/dovecot/deny.%Ls
  deny = yes
}

service dovecot restart
and put your selected email address into /etc/dovecot/deny.imap
 
Last edited:
You must log in or register to reply here.
Back
Top