IP-based IMAP access restriction

davidep · December 19, 2017, 10:33am

This is now available from nethserver-testing repo /cc @quality_team

yum --enablerepo=nethserver-testing update nethserver-mail-server

github.com/NethServer/dev

IP-based IMAP access restriction

opened 11:40AM - 05 Dec 17 UTC

closed 09:08AM - 23 Jan 18 UTC

DavidePrincipi

verified

As sysadmin I want to limit some users to access the IMAP service from specific …networks. Limiting only a group of users makes impossible to act at the firewall level. As Dovecot implements an ``allow_nets=`` extra login field, we could leverage the `dovecot-postlogin` script to enforce an IP-based policy based on group membership. See also - https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets - https://community.nethserver.org/t/permits-the-access-of-mail-groupware-services-related-protocols-only-from-trusted-network/7792

Implemented a new prop, dovecot/RestrictedAccessGroup. The value is a long group name. Members of the given group have IMAP access restricted to trusted networks.

In a next iteration an UI field can be added under Email > Mailboxes tab.

davidep · December 19, 2017, 10:36am

A post was merged into an existing topic: Permits the access of mail/groupware services related protocols only from trusted network

robb · January 9, 2018, 12:58pm

Just thinking out loud:
What if we can use a geo block instead of a single IP address? If a Mailserver is directly connected to the internet, it might be a nice featurew to block all IP addresses that do not come from your country part of the world. If you are in Europe and you could filter out access from Russia, USA, China, etc… just my gut feeling, but it might limit a lot of unwanted traffic.

davidep · January 9, 2018, 1:15pm

Sounds like a firewall feature