On 14.02.2018 20:39, Brian Topping wrote: > Hi all! > > I have been using GSSAPI authentication method for all my externally > reachable endpoints for some time under the theory that they cannot be hit > with a dictionary attack. Unfortunately, this means iOS devices cannot log in > since they (oddly) cannot use GSSAPI. I say “oddly” because desktop Mac mail > can use GSSAPI just fine and > https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ > goes through how to set it up for web pages. > > In any event, what I’m looking to do is use a filter > (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such > that it will allow plain authentication when the client is on a local network > or the VPN. Unfortunately, the fine print on filters says "These filters work > for most of the settings, but most importantly auth settings currently only > support the protocol filter”. > > I guess it’s kind of academic, but I thought I’d ask why this is a > limitation? If there is not a profound security reason to not support this, > is this a good enough use case to consider it? > > Thanks! Brian
Hi Brian, you can return allo_nets in your passdb to limit which networks the passdb is valid for. See https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets Aki
