Re: Access control by IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Let me explain the situation to a better understanding of the problem.
The mailboxes are accessed only internally, but some users (directors, managers, etc.) want to access mailboxes from their homes through the Internet.
I was thinking of using any IMAP Proxy solution to solve this problem, but will now be studying the solutions submitted by Dan and omalleys.
If you have a few more suggestions now that they know a little better the problem, you might say. 

thanks

Sandro

Em 09-09-2011 15:54, Dan White escreveu:

I am not aware of a way to do IP based restrictions with Cyrus SASL.

One way to achieve restrictive access to a mailbox, within Cyrus IMAP, is
to reconfigure /etc/cyrus.conf with two imap entries, one for your trusted 
network, and another for your untrusted network. You could then create a
userdeny_db which selectively denies access for certain users when
connecting from the untrusted network.

For example, given the following entry in /etc/cyrus.conf:

imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100

change to:
imap cmd="imapd -U 30" listen="<trusted.ip>:imap" prefork=0 maxchild=100 untrustedimap cmd="imapd -U 30" listen="<untrusted.ip>:imap" prefork=0 maxchild=100 

sudo -u cyrus touch /var/lib/imap/user_deny.db
sudo -u cyrus cyr_dbtool /var/lib/imap/user_deny.db flat set jsmith "2<ctrl-v><tab>untrustedimap<ctrl-v><tab>Login denied from untrusted network." 

Where:
   jsmith is the user who's mailbox you want to restrict access to
<ctrl-v><tab> is entered from a shell, such as bash, which will not convert a tab to spaces when preceded with a control-v. 

See:
http://cyrusimap.org/docs/cyrus-imapd/2.4.10/internal/database-formats.php 

for details on the user_deny database structure.




Em 14-09-2011 17:13, omalleys@xxxxxxx escreveu:
The easiest thing is if it is all users, to just firewall off the untrusted network. I don't think you can use tcp wrappers in this case.
I did get sasl to restrict by using a pam module based on RHOST restrictions. But I don't know of any sasl abaility for the restriction, even though the information is there. 

--
Sandro Venezuela
_____________________________________________
              Linux2Business
         www.linux2business.com.br
_____________________________________________
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux