Access control by IP
dwhite at olp.net
Fri Sep 9 14:54:58 EDT 2011
On 08/09/11 17:47 -0300, Sandro Venezuela wrote:
>I have an E-Mail service with Cyrus IMAP + Cyrus SASL and I want to
>controlthat only users of a particular network to access the mailbox.
>This is possible with the Cyrus SASL?
>If yes, how can I do?
I am not aware of a way to do IP based restrictions with Cyrus SASL.
One way to achieve restrictive access to a mailbox, within Cyrus IMAP, is
to reconfigure /etc/cyrus.conf with two imap entries, one for your trusted
network, and another for your untrusted network. You could then create a
userdeny_db which selectively denies access for certain users when
connecting from the untrusted network.
For example, given the following entry in /etc/cyrus.conf:
imap cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
imap cmd="imapd -U 30" listen="<trusted.ip>:imap" prefork=0 maxchild=100
untrustedimap cmd="imapd -U 30" listen="<untrusted.ip>:imap" prefork=0 maxchild=100
sudo -u cyrus touch /var/lib/imap/user_deny.db
sudo -u cyrus cyr_dbtool /var/lib/imap/user_deny.db flat set jsmith "2<ctrl-v><tab>untrustedimap<ctrl-v><tab>Login denied from untrusted network."
jsmith is the user who's mailbox you want to restrict access to
<ctrl-v><tab> is entered from a shell, such as bash, which will not convert a tab to spaces when preceded with a control-v.
for details on the user_deny database structure.
More information about the Cyrus-sasl