Access control by IP

Dan White dwhite at olp.net
Fri Sep 9 14:54:58 EDT 2011


On 08/09/11 17:47 -0300, Sandro Venezuela wrote:
>Hello everyone.
>
>I have an E-Mail service with Cyrus IMAP + Cyrus SASL and I want to 
>controlthat only users of a particular network to access the mailbox.
>
>This is possible with the Cyrus SASL?
>
>If yes, how can I do?

I am not aware of a way to do IP based restrictions with Cyrus SASL.

One way to achieve restrictive access to a mailbox, within Cyrus IMAP, is
to reconfigure /etc/cyrus.conf with two imap entries, one for your trusted
network, and another for your untrusted network. You could then create a
userdeny_db which selectively denies access for certain users when
connecting from the untrusted network.

For example, given the following entry in /etc/cyrus.conf:

imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100

change to:

imap            cmd="imapd -U 30" listen="<trusted.ip>:imap" prefork=0 maxchild=100
untrustedimap   cmd="imapd -U 30" listen="<untrusted.ip>:imap" prefork=0 maxchild=100

sudo -u cyrus touch /var/lib/imap/user_deny.db
sudo -u cyrus cyr_dbtool /var/lib/imap/user_deny.db flat set jsmith "2<ctrl-v><tab>untrustedimap<ctrl-v><tab>Login denied from untrusted network."

Where:
    jsmith is the user who's mailbox you want to restrict access to
    <ctrl-v><tab> is entered from a shell, such as bash, which will not convert a tab to spaces when preceded with a control-v.

See:

http://cyrusimap.org/docs/cyrus-imapd/2.4.10/internal/database-formats.php

for details on the user_deny database structure.

-- 
Dan White


More information about the Cyrus-sasl mailing list