1 最后由 dsandrew (2015-11-23 14:09:21) 编辑

主题: 控制部份用户只能在内网使用邮箱

- iRedMail 版本号:0.9.2
- 使用哪个数据库存储用户帐号:MySQL
- 使用的 Linux/BSD 发行版名称及版本号:centos 6.7
- 与您的问题相关的日志信息:

已经按照文档说明将个别用户的allow_nets字段设置了内网地址,但是内网无法登录,重新置为NULL就可以,感觉是查询没有获取到正常的IP地址。
dovecot-mysql.conf 是默认配置,没有改动过。
[root@mail /]# cat /etc/dovecot/dovecot-mysql.conf
driver = mysql
default_pass_scheme = CRYPT
connect = host=127.0.0.1 dbname=vmail user=vmail password=2b5P52KP2is8665OZhpJbCSx3WNwVi
# Required by 'doveadm mailbox ...'.
iterate_query = SELECT username AS user FROM mailbox
password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active=1
user_query = SELECT \
    '%u' AS master_user, \
    CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir) AS home, \
    CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule \
FROM mailbox,domain \
WHERE mailbox.username='%u' \
    AND mailbox.domain='%d' \
    AND mailbox.`enable%Ls%Lc`=1 \
    AND mailbox.domain=domain.domain \
    AND domain.backupmx=0 \
    AND domain.active=1 \
    AND mailbox.active=1

登录失败后查询的dovecot 日志:
Nov 23 14:05:51 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<dongjianfeng@iagnosis.cn>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<3oNTBC8l1AB/AAAB>

回复: 控制部份用户只能在内网使用邮箱

你的这个用户的 mailbox.allow_nets 字段里填的是什么内容?

回复: 控制部份用户只能在内网使用邮箱

ZhangHuangbin 写道:

你的这个用户的 mailbox.allow_nets 字段里填的是什么内容?

网段和单个IP都有写入测试过,172.16.1.0/24或者172.16.1.33 都测试过,都不行。

回复: 控制部份用户只能在内网使用邮箱

贴 debug 日志吧。不然没法帮忙分析。

回复: 控制部份用户只能在内网使用邮箱

ZhangHuangbin 写道:

贴 debug 日志吧。不然没法帮忙分析。

dovecot 设置 默认没有开debug模式,打开后看到以下日志:
Nov 25 13:09:17 master: Warning: Killed with signal 15 (by pid=41093 uid=0 code=kill)
Nov 25 13:09:19 master: Info: Dovecot v2.1.17 starting up (core dumps disabled)
Nov 25 13:11:15 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Nov 25 13:11:15 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
Nov 25 13:11:15 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so
Nov 25 13:11:15 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Nov 25 13:11:15 auth: Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs
Nov 25 13:11:15 auth: Debug: auth client connected (pid=41128)
Nov 25 13:11:15 auth: Debug: client in: AUTH    1       PLAIN   service=imap secured  session=eeLXfFYlAgB/AAAB        lip=127.0.0.1   rip=127.0.0.1   lport=143     rport=46850     resp=<hidden>
Nov 25 13:11:15 auth-worker(41130): Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Nov 25 13:11:15 auth-worker(41130): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
Nov 25 13:11:15 auth-worker(41130): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so
Nov 25 13:11:15 auth-worker(41130): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Nov 25 13:11:15 auth-worker(41130): Debug: passwd-file /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs
Nov 25 13:11:15 auth-worker(41130): Info: mysql(127.0.0.1): Connected to database vmail
Nov 25 13:11:15 auth-worker(41130): Debug: sql(dongjianfeng@iagnosis.cn,127.0.0.1): query: SELECT password, allow_nets FROM mailbox WHERE username='dongjianfeng@iagnosis.cn' AND enableimapsecured=1 AND active=1
Nov 25 13:11:15 auth-worker(41130): Debug: auth(dongjianfeng@iagnosis.cn,127.0.0.1): allow_nets: Matching for network 172.16.6.201
Nov 25 13:11:15 auth-worker(41130): Info: passdb(dongjianfeng@iagnosis.cn,127.0.0.1): allow_nets check failed: IP not in allowed networks
Nov 25 13:11:15 auth: Debug: auth(dongjianfeng@iagnosis.cn,127.0.0.1,<eeLXfFYlAgB/AAAB>): allow_nets: Matching for network 172.16.6.201
Nov 25 13:11:15 auth: Info: passdb(dongjianfeng@iagnosis.cn,127.0.0.1,<eeLXfFYlAgB/AAAB>): allow_nets check failed: IP not in allowed networks
Nov 25 13:11:17 auth: Debug: client passdb out: FAIL    1       user=dongjianfeng@iagnosis.cn
Nov 25 13:11:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<dongjianfeng@iagnosis.cn>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<eeLXfFYlAgB/AAAB>


请张工再帮忙看看,是不是需要allow_nets 的IP设置成服务器的IP,而不能是个人电脑IP

回复: 控制部份用户只能在内网使用邮箱

dsandrew 写道:

Nov 25 13:11:15 auth-worker(41130): Debug: sql(dongjianfeng@iagnosis.cn,127.0.0.1): query: SELECT password, allow_nets FROM mailbox WHERE username='dongjianfeng@iagnosis.cn' AND enableimapsecured=1 AND active=1
Nov 25 13:11:15 auth-worker(41130): Debug: auth(dongjianfeng@iagnosis.cn,127.0.0.1): allow_nets: Matching for network 172.16.6.201
Nov 25 13:11:15 auth-worker(41130): Info: passdb(dongjianfeng@iagnosis.cn,127.0.0.1): allow_nets check failed: IP not in allowed networks
Nov 25 13:11:15 auth: Debug: auth(dongjianfeng@iagnosis.cn,127.0.0.1,<eeLXfFYlAgB/AAAB>): allow_nets: Matching for network 172.16.6.201
Nov 25 13:11:15 auth: Info: passdb(dongjianfeng@iagnosis.cn,127.0.0.1,<eeLXfFYlAgB/AAAB>): allow_nets check failed: IP not in allowed networks
Nov 25 13:11:17 auth: Debug: client passdb out: FAIL    1       user=dongjianfeng@iagnosis.cn
Nov 25 13:11:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<dongjianfeng@iagnosis.cn>,

这里说的很清楚,"IP not in allowed networks",所以被按照密码不对的错误来拒绝登陆了。
这个没问题啊。确实拒绝了。

回复: 控制部份用户只能在内网使用邮箱

ZhangHuangbin 写道:
dsandrew 写道:

Nov 25 13:11:15 auth-worker(41130): Debug: sql(dongjianfeng@iagnosis.cn,127.0.0.1): query: SELECT password, allow_nets FROM mailbox WHERE username='dongjianfeng@iagnosis.cn' AND enableimapsecured=1 AND active=1
Nov 25 13:11:15 auth-worker(41130): Debug: auth(dongjianfeng@iagnosis.cn,127.0.0.1): allow_nets: Matching for network 172.16.6.201
Nov 25 13:11:15 auth-worker(41130): Info: passdb(dongjianfeng@iagnosis.cn,127.0.0.1): allow_nets check failed: IP not in allowed networks
Nov 25 13:11:15 auth: Debug: auth(dongjianfeng@iagnosis.cn,127.0.0.1,<eeLXfFYlAgB/AAAB>): allow_nets: Matching for network 172.16.6.201
Nov 25 13:11:15 auth: Info: passdb(dongjianfeng@iagnosis.cn,127.0.0.1,<eeLXfFYlAgB/AAAB>): allow_nets check failed: IP not in allowed networks
Nov 25 13:11:17 auth: Debug: client passdb out: FAIL    1       user=dongjianfeng@iagnosis.cn
Nov 25 13:11:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<dongjianfeng@iagnosis.cn>,

这里说的很清楚,"IP not in allowed networks",所以被按照密码不对的错误来拒绝登陆了。
这个没问题啊。确实拒绝了。

张工,我想实现的是部分用户只能在内网登录邮箱,根据文档内容allow_nets 这个允许网络字段填写上内网IP或内网IP段后,这个用户就只能使用指定的IP或网段来登录邮箱,而不是拒绝,现在是我已经填写了对应的IP和网段都还是不能登录。
下面文档也是这么说明的
Restarting Dovecot service is required.
Sample usage: allow user user@domain.com to login from IP 172.16.244.1 and network 192.168.1.0/24:
sql> USE vmail;
sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com`;
To remove this restriction, just set mailbox.allow_nets to NULL, not empty string.