[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
  Web www.spinics.net

Re: Access control by IP


Let me explain the situation to a better understanding of the problem.

The mailboxes are accessed only internally, but some users (directors, managers, etc.) want to access mailboxes from their homes through the Internet.

I was thinking of using any IMAP Proxy solution to solve this problem, but will now be studying the solutions submitted by Dan and omalleys.

If you have a few more suggestions now that they know a little better the problem, you might say.



Em 09-09-2011 15:54, Dan White escreveu:
I am not aware of a way to do IP based restrictions with Cyrus SASL.

One way to achieve restrictive access to a mailbox, within Cyrus IMAP, is
to reconfigure /etc/cyrus.conf with two imap entries, one for your trusted
network, and another for your untrusted network. You could then create a
userdeny_db which selectively denies access for certain users when
connecting from the untrusted network.

For example, given the following entry in /etc/cyrus.conf:

imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100

change to:

imap cmd="imapd -U 30" listen="<trusted.ip>:imap" prefork=0 maxchild=100 untrustedimap cmd="imapd -U 30" listen="<untrusted.ip>:imap" prefork=0 maxchild=100

sudo -u cyrus touch /var/lib/imap/user_deny.db
sudo -u cyrus cyr_dbtool /var/lib/imap/user_deny.db flat set jsmith "2<ctrl-v><tab>untrustedimap<ctrl-v><tab>Login denied from untrusted network."

   jsmith is the user who's mailbox you want to restrict access to
<ctrl-v><tab> is entered from a shell, such as bash, which will not convert a tab to spaces when preceded with a control-v.



for details on the user_deny database structure.

Em 14-09-2011 17:13, omalleys@xxxxxxx escreveu:
The easiest thing is if it is all users, to just firewall off the untrusted network. I don't think you can use tcp wrappers in this case.

I did get sasl to restrict by using a pam module based on RHOST restrictions. But I don't know of any sasl abaility for the restriction, even though the information is there.

Sandro Venezuela

[Video For Linux]     [Photos]     [Yosemite News]    [Yosemite Photos]     [gtk]     [KDE]     [Info Cyrus]     [Gimp on Windows]     [Steve's Art]     [Script Fu]

Powered by Linux