Postlogin script

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Postlogin script

j.emerlik
Hi,
I would like to prepare postlogin a script that allow imap connection to
roundcube for all but restrict imap access for selected users.

My question is that:

Is possible in condition IF use IP addresses as range or with mask (because
I've more than one web servers) ?

My script:

#!/bin/sh
if [ "$IP" = "172.11.0.28" ] ; then
  printf "* [ALERT] Access allowed from that IP\r\n"
  exec "$@"
fi

CHECK_USER=`PGPASSWORD="somepass" /usr/local/pg950/bin/psql -q -t -U
someuser -d maildb -c "select imap_allowed from __users where name =
'$USER' LIMIT 1"`

if [ $CHECK_USER == "f" ] ; then
exit 0
fi

if [ $CHECK_USER == "t" ] ; then
exec "$@"
fi

Regards,
Jack
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

Gedalya-2
A bit clunky but perhaps you could find another command.

https://packages.debian.org/stretch/netmask

$ IP=172.11.0.28
$ if [ "$(netmask -n $IP/24)" == "     172.11.0.0/24" ]; then echo OK; fi
OK
$ IP=172.12.0.11
$ if [ "$(netmask -n $IP/24)" == "     172.11.0.0/24" ]; then echo OK; fi
$

Range:

https://packages.debian.org/stretch/prips

$ IP=172.11.0.28
$ if prips 172.11.0.11 172.11.0.55 | grep $IP; then echo OK; fi
172.11.0.28
OK
$ IP=172.11.0.66
$ if prips 172.11.0.11 172.11.0.55 | grep $IP; then echo OK; fi


On 11/09/2017 11:12 AM, j.emerlik wrote:

> Hi,
> I would like to prepare postlogin a script that allow imap connection to
> roundcube for all but restrict imap access for selected users.
>
> My question is that:
>
> Is possible in condition IF use IP addresses as range or with mask (because
> I've more than one web servers) ?
>
> My script:
>
> #!/bin/sh
> if [ "$IP" = "172.11.0.28" ] ; then
>   printf "* [ALERT] Access allowed from that IP\r\n"
>   exec "$@"
> fi
>
> CHECK_USER=`PGPASSWORD="somepass" /usr/local/pg950/bin/psql -q -t -U
> someuser -d maildb -c "select imap_allowed from __users where name =
> '$USER' LIMIT 1"`
>
> if [ $CHECK_USER == "f" ] ; then
> exit 0
> fi
>
> if [ $CHECK_USER == "t" ] ; then
> exec "$@"
> fi
>
> Regards,
> Jack
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

j.emerlik
Thx, prips works as I expected, gr8 tool, not available in Gentoo repository
but after compilation Dovecot doing what I wanted.
Regards,
Jack

2017-11-09 21:19 GMT+01:00 Gedalya <[hidden email]>:

> A bit clunky but perhaps you could find another command.
>
> https://packages.debian.org/stretch/netmask
>
> $ IP=172.11.0.28
> $ if [ "$(netmask -n $IP/24)" == "     172.11.0.0/24" ]; then echo OK; fi
> OK
> $ IP=172.12.0.11
> $ if [ "$(netmask -n $IP/24)" == "     172.11.0.0/24" ]; then echo OK; fi
> $
>
> Range:
>
> https://packages.debian.org/stretch/prips
>
> $ IP=172.11.0.28
> $ if prips 172.11.0.11 172.11.0.55 | grep $IP; then echo OK; fi
> 172.11.0.28
> OK
> $ IP=172.11.0.66
> $ if prips 172.11.0.11 172.11.0.55 | grep $IP; then echo OK; fi
>
>
> On 11/09/2017 11:12 AM, j.emerlik wrote:
> > Hi,
> > I would like to prepare postlogin a script that allow imap connection to
> > roundcube for all but restrict imap access for selected users.
> >
> > My question is that:
> >
> > Is possible in condition IF use IP addresses as range or with mask
> (because
> > I've more than one web servers) ?
> >
> > My script:
> >
> > #!/bin/sh
> > if [ "$IP" = "172.11.0.28" ] ; then
> >   printf "* [ALERT] Access allowed from that IP\r\n"
> >   exec "$@"
> > fi
> >
> > CHECK_USER=`PGPASSWORD="somepass" /usr/local/pg950/bin/psql -q -t -U
> > someuser -d maildb -c "select imap_allowed from __users where name =
> > '$USER' LIMIT 1"`
> >
> > if [ $CHECK_USER == "f" ] ; then
> > exit 0
> > fi
> >
> > if [ $CHECK_USER == "t" ] ; then
> > exec "$@"
> > fi
> >
> > Regards,
> > Jack
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

Aki Tuomi-2
You could also have used allow_nets passdb field.
https://wiki2.dovecot.org/PasswordDatabase/ExtraFields

Aki


On 10.11.2017 12:45, j.emerlik wrote:

> Thx, prips works as I expected, gr8 tool, not available in Gentoo repository
> but after compilation Dovecot doing what I wanted.
> Regards,
> Jack
>
> 2017-11-09 21:19 GMT+01:00 Gedalya <[hidden email]>:
>
>> A bit clunky but perhaps you could find another command.
>>
>> https://packages.debian.org/stretch/netmask
>>
>> $ IP=172.11.0.28
>> $ if [ "$(netmask -n $IP/24)" == "     172.11.0.0/24" ]; then echo OK; fi
>> OK
>> $ IP=172.12.0.11
>> $ if [ "$(netmask -n $IP/24)" == "     172.11.0.0/24" ]; then echo OK; fi
>> $
>>
>> Range:
>>
>> https://packages.debian.org/stretch/prips
>>
>> $ IP=172.11.0.28
>> $ if prips 172.11.0.11 172.11.0.55 | grep $IP; then echo OK; fi
>> 172.11.0.28
>> OK
>> $ IP=172.11.0.66
>> $ if prips 172.11.0.11 172.11.0.55 | grep $IP; then echo OK; fi
>>
>>
>> On 11/09/2017 11:12 AM, j.emerlik wrote:
>>> Hi,
>>> I would like to prepare postlogin a script that allow imap connection to
>>> roundcube for all but restrict imap access for selected users.
>>>
>>> My question is that:
>>>
>>> Is possible in condition IF use IP addresses as range or with mask
>> (because
>>> I've more than one web servers) ?
>>>
>>> My script:
>>>
>>> #!/bin/sh
>>> if [ "$IP" = "172.11.0.28" ] ; then
>>>   printf "* [ALERT] Access allowed from that IP\r\n"
>>>   exec "$@"
>>> fi
>>>
>>> CHECK_USER=`PGPASSWORD="somepass" /usr/local/pg950/bin/psql -q -t -U
>>> someuser -d maildb -c "select imap_allowed from __users where name =
>>> '$USER' LIMIT 1"`
>>>
>>> if [ $CHECK_USER == "f" ] ; then
>>> exit 0
>>> fi
>>>
>>> if [ $CHECK_USER == "t" ] ; then
>>> exec "$@"
>>> fi
>>>
>>> Regards,
>>> Jack
>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

Joseph Tam-2
In reply to this post by j.emerlik
"j.emerlik" <[hidden email]> writes:

> I would like to prepare postlogin a script that allow imap connection to
> roundcube for all but restrict imap access for selected users.

"from" roundcube?

> Is possible in condition IF use IP addresses as range or with mask (because
> I've more than one web servers) ?

Of course -- many ways to skin this cat.

If you have only a handful of IPs

  case "$IP" in
  12.34.56.78) exec "$@";;
  23.45.67.89) exec "$@";;
  ...
  esac

If you have CIDR that align neatly on octet boundaries

  case "$IP" in
  12.34.56.*) exec "$@";;
  23.45.67.*) exec "$@";;
  ...
  esac

The toughest situation (using script techniques) is for
CIDR ranges just shy of a full octet boundary e.g. /25.  You can use
"cut -d .", "IFS=." or "expr" to break the IP into octets,
then test the components.  e.g. 12.34.56.0/25

  # Example 1
  PART1=`echo $IP | cut -d. -f1,2,3`
  PART2=`echo $IP | cut -d. -f4`
  [ "$PART1" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && exec "$@"

  # Example 2
  PART2=`expr "$IP" : '.*\.\([0-9]*\)'
  expr "$IP" : "12.34.56." && [ "$PART2" -ge 0 -a "$PART2" -le 127 ] && exec "$@"

  # Example 3 (dodgy, I haven't fully thought this through)
  `echo "$IP" | { IFS=. read a b c PART2; [ "$a.$b.$c" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && echo "exec $@"; }`

If you have a busy IMAP server, you'll probably want to use Aki's passdb
solution instead, rather than incurring the execution overhead for each
and every authentication.

Joseph Tam <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

Gedalya-2
On 11/10/2017 11:03 PM, Joseph Tam wrote:
>
> The toughest situation (using script techniques) is for
> CIDR ranges just shy of a full octet boundary e.g. /25. 

Actually there is a great tool for that, grepcidr

$ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK
10.11.12.127
OK
$ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK
$

But in your case you really probably should use postgres for the userdb and just return everything from there in user fields / extra fields, and if the logic doesn't fit in a simple query you can put it in a stored procedure. That will likely be more efficient.
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

j.emerlik
Awesome, thanks!

Sent from my mobile device please excuse.

11.11.2017 2:48 PM "Gedalya" <[hidden email]> napisał(a):

> On 11/10/2017 11:03 PM, Joseph Tam wrote:
> >
> > The toughest situation (using script techniques) is for
> > CIDR ranges just shy of a full octet boundary e.g. /25.
>
> Actually there is a great tool for that, grepcidr
>
> $ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK
> 10.11.12.127
> OK
> $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK
> $
>
> But in your case you really probably should use postgres for the userdb
> and just return everything from there in user fields / extra fields, and if
> the logic doesn't fit in a simple query you can put it in a stored
> procedure. That will likely be more efficient.
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

Aki Tuomi-2
I would still recommend using allow_nets instead. It will perform better, and can deal with multiple networks etc.

Aki

> On November 11, 2017 at 4:27 PM "j.emerlik" <[hidden email]> wrote:
>
>
> Awesome, thanks!
>
> Sent from my mobile device please excuse.
>
> 11.11.2017 2:48 PM "Gedalya" <[hidden email]> napisał(a):
>
> > On 11/10/2017 11:03 PM, Joseph Tam wrote:
> > >
> > > The toughest situation (using script techniques) is for
> > > CIDR ranges just shy of a full octet boundary e.g. /25.
> >
> > Actually there is a great tool for that, grepcidr
> >
> > $ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK
> > 10.11.12.127
> > OK
> > $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK
> > $
> >
> > But in your case you really probably should use postgres for the userdb
> > and just return everything from there in user fields / extra fields, and if
> > the logic doesn't fit in a simple query you can put it in a stored
> > procedure. That will likely be more efficient.
> >
> >
> >
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

j.emerlik
Great, thanks!

Sent from my mobile device please excuse.

11.11.2017 6:00 PM "Aki Tuomi" <[hidden email]> napisał(a):

> I would still recommend using allow_nets instead. It will perform better,
> and can deal with multiple networks etc.
>
> Aki
>
> > On November 11, 2017 at 4:27 PM "j.emerlik" <[hidden email]> wrote:
> >
> >
> > Awesome, thanks!
> >
> > Sent from my mobile device please excuse.
> >
> > 11.11.2017 2:48 PM "Gedalya" <[hidden email]> napisał(a):
> >
> > > On 11/10/2017 11:03 PM, Joseph Tam wrote:
> > > >
> > > > The toughest situation (using script techniques) is for
> > > > CIDR ranges just shy of a full octet boundary e.g. /25.
> > >
> > > Actually there is a great tool for that, grepcidr
> > >
> > > $ echo 10.11.12.127 | grepcidr 10.11.12.0/25 && echo OK
> > > 10.11.12.127
> > > OK
> > > $ echo 10.11.12.128 | grepcidr 10.11.12.0/25 && echo OK
> > > $
> > >
> > > But in your case you really probably should use postgres for the userdb
> > > and just return everything from there in user fields / extra fields,
> and if
> > > the logic doesn't fit in a simple query you can put it in a stored
> > > procedure. That will likely be more efficient.
> > >
> > >
> > >
>
Reply | Threaded
Open this post in threaded view
|

Re: Postlogin script

j.emerlik
In reply to this post by Joseph Tam-2
I finally used it like this:

case $IP in
    10.120.12[0-7].*) exec "$@" ;;
    111.111.11.4[0-9]) exec "$@" ;;
esac

Thanks a lot

Regards,
Jacek


case $IP in

    10.120.12[0-7].*) exec "$@" ;;

    195.150.13.4[0-9]) exec "$@" ;;

esac


2017-11-10 23:03 GMT+01:00 Joseph Tam <[hidden email]>:

> "j.emerlik" <[hidden email]> writes:
>
> I would like to prepare postlogin a script that allow imap connection to
>> roundcube for all but restrict imap access for selected users.
>>
>
> "from" roundcube?
>
> Is possible in condition IF use IP addresses as range or with mask (because
>> I've more than one web servers) ?
>>
>
> Of course -- many ways to skin this cat.
>
> If you have only a handful of IPs
>
>         case "$IP" in
>                 12.34.56.78) exec "$@";;
>                 23.45.67.89) exec "$@";;
>                 ...
>         esac
>
> If you have CIDR that align neatly on octet boundaries
>
>         case "$IP" in
>                 12.34.56.*) exec "$@";;
>                 23.45.67.*) exec "$@";;
>                 ...
>         esac
>
> The toughest situation (using script techniques) is for
> CIDR ranges just shy of a full octet boundary e.g. /25.  You can use
> "cut -d .", "IFS=." or "expr" to break the IP into octets,
> then test the components.  e.g. 12.34.56.0/25
>
>         # Example 1
>         PART1=`echo $IP | cut -d. -f1,2,3`
>         PART2=`echo $IP | cut -d. -f4`
>         [ "$PART1" = "12.34.56" -a "$PART2" -ge 0 -a "$PART2" -le 127 ] &&
> exec "$@"
>
>         # Example 2
>         PART2=`expr "$IP" : '.*\.\([0-9]*\)'
>         expr "$IP" : "12.34.56." && [ "$PART2" -ge 0 -a "$PART2" -le 127 ]
> && exec "$@"
>
>         # Example 3 (dodgy, I haven't fully thought this through)
>         `echo "$IP" | { IFS=. read a b c PART2; [ "$a.$b.$c" = "12.34.56"
> -a "$PART2" -ge 0 -a "$PART2" -le 127 ] && echo "exec $@"; }`
>
> If you have a busy IMAP server, you'll probably want to use Aki's passdb
> solution instead, rather than incurring the execution overhead for each
> and every authentication.
>
> Joseph Tam <[hidden email]>
>