Access control by IP

Joost Roeleveld joost at antarean.org
Fri Sep 16 07:39:11 EDT 2011


On Thursday, September 15, 2011 05:05:11 PM Sandro Venezuela wrote:
> Hi,
> 
> Let me explain the situation to a better understanding of the problem.
> 
> The mailboxes are accessed only internally, but some users (directors,
> managers, etc.) want to access mailboxes from their homes through the
> Internet.
>
> I was thinking of using any IMAP Proxy solution to solve this problem,
> but will now be studying the solutions submitted by Dan and omalleys.
> 
> If you have a few more suggestions now that they know a little better
> the problem, you might say.

If they want to access from their home-PC/laptop, why not set up a VPN-access 
for them?
Added bonus, they can then also access the files on other servers and all 
through a secure and encrypted connection (provided the VPN-software used uses 
encryption)

--
Joost

> 
> thanks
> 
> Sandro
> 
> Em 09-09-2011 15:54, Dan White escreveu:
> > I am not aware of a way to do IP based restrictions with Cyrus SASL.
> > 
> > One way to achieve restrictive access to a mailbox, within Cyrus IMAP,
> > is
> > to reconfigure /etc/cyrus.conf with two imap entries, one for your
> > trusted
> > network, and another for your untrusted network. You could then create a
> > userdeny_db which selectively denies access for certain users when
> > connecting from the untrusted network.
> > 
> > For example, given the following entry in /etc/cyrus.conf:
> > 
> > imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
> > 
> > change to:
> > 
> > imap            cmd="imapd -U 30" listen="<trusted.ip>:imap" prefork=0
> > maxchild=100
> > untrustedimap   cmd="imapd -U 30" listen="<untrusted.ip>:imap"
> > prefork=0 maxchild=100
> > 
> > sudo -u cyrus touch /var/lib/imap/user_deny.db
> > sudo -u cyrus cyr_dbtool /var/lib/imap/user_deny.db flat set jsmith
> > "2<ctrl-v><tab>untrustedimap<ctrl-v><tab>Login denied from untrusted
> > network."
> > 
> > Where:
> >    jsmith is the user who's mailbox you want to restrict access to
> > 
> > <ctrl-v><tab> is entered from a shell, such as bash, which will not
> > convert a tab to spaces when preceded with a control-v.
> > 
> > See:
> > 
> > http://cyrusimap.org/docs/cyrus-imapd/2.4.10/internal/database-formats.p
> > hp
> > 
> > 
> > for details on the user_deny database structure.
> 
> Em 14-09-2011 17:13, omalleys at msu.edu escreveu:
> > The easiest thing is if it is all users, to just firewall off the
> > untrusted network. I don't think you can use tcp wrappers in this case.
> > 
> > I did get sasl to restrict by using a pam module based on RHOST
> > restrictions.
> > But I don't know of any sasl abaility for the restriction, even though
> > the information is there.


More information about the Cyrus-sasl mailing list