Access control by IP

Sandro Venezuela sandro at linux2business.com.br
Thu Sep 15 16:05:11 EDT 2011 

Hi,

Let me explain the situation to a better understanding of the problem.

The mailboxes are accessed only internally, but some users (directors, 
managers, etc.) want to access mailboxes from their homes through the 
Internet.

I was thinking of using any IMAP Proxy solution to solve this problem, 
but will now be studying the solutions submitted by Dan and omalleys.

If you have a few more suggestions now that they know a little better 
the problem, you might say.

thanks

Sandro

Em 09-09-2011 15:54, Dan White escreveu:
> I am not aware of a way to do IP based restrictions with Cyrus SASL.
>
> One way to achieve restrictive access to a mailbox, within Cyrus IMAP, is
> to reconfigure /etc/cyrus.conf with two imap entries, one for your 
> trusted
> network, and another for your untrusted network. You could then create a
> userdeny_db which selectively denies access for certain users when
> connecting from the untrusted network.
>
> For example, given the following entry in /etc/cyrus.conf:
>
> imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
>
> change to:
>
> imap            cmd="imapd -U 30" listen="<trusted.ip>:imap" prefork=0 
> maxchild=100
> untrustedimap   cmd="imapd -U 30" listen="<untrusted.ip>:imap" 
> prefork=0 maxchild=100
>
> sudo -u cyrus touch /var/lib/imap/user_deny.db
> sudo -u cyrus cyr_dbtool /var/lib/imap/user_deny.db flat set jsmith 
> "2<ctrl-v><tab>untrustedimap<ctrl-v><tab>Login denied from untrusted 
> network."
>
> Where:
>    jsmith is the user who's mailbox you want to restrict access to
> <ctrl-v><tab> is entered from a shell, such as bash, which will not 
> convert a tab to spaces when preceded with a control-v.
>
> See:
>
> http://cyrusimap.org/docs/cyrus-imapd/2.4.10/internal/database-formats.php 
>
>
> for details on the user_deny database structure.
>


Em 14-09-2011 17:13, omalleys at msu.edu escreveu:
> The easiest thing is if it is all users, to just firewall off the 
> untrusted network. I don't think you can use tcp wrappers in this case.
>
> I did get sasl to restrict by using a pam module based on RHOST 
> restrictions.
> But I don't know of any sasl abaility for the restriction, even though 
> the information is there.

-- 
Sandro Venezuela
_____________________________________________
               Linux2Business
          www.linux2business.com.br
_____________________________________________

More information about the Cyrus-sasl mailing list