Access control by IP
Sandro Venezuela
sandro at linux2business.com.br
Thu Sep 15 16:05:11 EDT 2011
Hi,
Let me explain the situation to a better understanding of the problem.
The mailboxes are accessed only internally, but some users (directors,
managers, etc.) want to access mailboxes from their homes through the
Internet.
I was thinking of using any IMAP Proxy solution to solve this problem,
but will now be studying the solutions submitted by Dan and omalleys.
If you have a few more suggestions now that they know a little better
the problem, you might say.
thanks
Sandro
Em 09-09-2011 15:54, Dan White escreveu:
> I am not aware of a way to do IP based restrictions with Cyrus SASL.
>
> One way to achieve restrictive access to a mailbox, within Cyrus IMAP, is
> to reconfigure /etc/cyrus.conf with two imap entries, one for your
> trusted
> network, and another for your untrusted network. You could then create a
> userdeny_db which selectively denies access for certain users when
> connecting from the untrusted network.
>
> For example, given the following entry in /etc/cyrus.conf:
>
> imap cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
>
> change to:
>
> imap cmd="imapd -U 30" listen="<trusted.ip>:imap" prefork=0
> maxchild=100
> untrustedimap cmd="imapd -U 30" listen="<untrusted.ip>:imap"
> prefork=0 maxchild=100
>
> sudo -u cyrus touch /var/lib/imap/user_deny.db
> sudo -u cyrus cyr_dbtool /var/lib/imap/user_deny.db flat set jsmith
> "2<ctrl-v><tab>untrustedimap<ctrl-v><tab>Login denied from untrusted
> network."
>
> Where:
> jsmith is the user who's mailbox you want to restrict access to
> <ctrl-v><tab> is entered from a shell, such as bash, which will not
> convert a tab to spaces when preceded with a control-v.
>
> See:
>
> http://cyrusimap.org/docs/cyrus-imapd/2.4.10/internal/database-formats.php
>
>
> for details on the user_deny database structure.
>
Em 14-09-2011 17:13, omalleys at msu.edu escreveu:
> The easiest thing is if it is all users, to just firewall off the
> untrusted network. I don't think you can use tcp wrappers in this case.
>
> I did get sasl to restrict by using a pam module based on RHOST
> restrictions.
> But I don't know of any sasl abaility for the restriction, even though
> the information is there.
--
Sandro Venezuela
_____________________________________________
Linux2Business
www.linux2business.com.br
_____________________________________________
More information about the Cyrus-sasl
mailing list