pam_access.so user&hostname based access problems.

[Sysadmin]

Hello.

I have firewall protected network in which also mailserver
(dovecot/postfix) runs, and every local user with account, can access
it. Now I have some privileged users which need access also from
outside, true firewall, so I try to make this happend with pam, but
con't figure out, how to do it with two pair of rules, something like:

let the group1 members access mailserver from 0.0.0.0/0
let the group2 members access mailserver from 172.0.0.0/24

group1 members are also members of group2 and logically group1 members 
should access mailserver from every network, including
172.0.0.0/24 and group1 members should access mailserver only from 
172.0.0.0/24 network.

/etc/pam.d/dovecot.pam includes:

auth       required     pam_nologin.so 

auth       required     pam_stack.so service=system-auth 

account    required     pam_stack.so service=system-auth 

session    required     pam_stack.so service=system-auth
account    required     pam_access.so


/etc/security/access.conf includes:

+:ALL group1:0.0.
+:ALL group2:172.0.
-:ALL:ALL

Tried also:

-:ALL EXCEPT group1:0.0.
+:ALL group2:172.0.

And:

+:group1:0.0.
+:group2:172.0.
-:ALL:ALL

Somehow I just can't get this two rules pair work this way. Can someone 
please tell me is this ever possible? Or maybe someone have made some 
special module for this?


-- 
Sysadmin