Permits the access of mail/groupware services related protocols only from trusted network

saitobenkei (Saito Benkei) 2017-09-13 14:05:09 UTC #1

I would like to have the possibility for some users to resrtict the access at mail services (imap/pop3/smtp/webmail/nethtop) only from trusted network (Green network and Trusted Networks).

Some ideas/implementation?

TIA

Edit:

the request is valid for all email/groupware related protocols (CalDAV/CardDAV/ActiveSync/etc…)

IP-based IMAP access restriction

pike (Michael Kicks) 2017-09-13 14:11:58 UTC #2

If users are have strong-enough passwords, there should not be any kind of problem publishing services to internet…
Anyway: if firewall package is installed, you can define rules for access to services (only if NethServer is configured as gateway with two network adapters)

saitobenkei (Saito Benkei) 2017-09-13 14:16:45 UTC #3

I explain better:

There are some companies where some users have the permission to access to their mailbox in the company network and via internet (with smartphones/webmail/etc), but other users have permission to access only when they are at work, so they can’t access to their mailbox via internet.

I need to implement this.

pike (Michael Kicks) 2017-09-13 14:23:47 UTC #4

I don’t know if there’s a way to allow the specific user login only from a zone…
@dev_team?

saitobenkei (Saito Benkei) 2017-09-13 14:32:49 UTC #5

There’s something here for pop3/imap:

https://wiki.dovecot.org/PostLoginScripting

saitobenkei (Saito Benkei) 2017-09-28 14:15:03 UTC #6

For Webtop/Nethtop someone has opened an issue 3 days ago:

https://redmine.sonicle.com/issues/296

davidep (Davide Principi) 2017-12-08 13:30:06 UTC #7

Filed an issue here too

https://github.com/NethServer/dev/issues/5395

davidep (Davide Principi) 2017-12-19 10:36:26 UTC #8

This is now available from nethserver-testing repo /cc @quality_team

yum --enablerepo=nethserver-testing update nethserver-mail-server

Implemented a new prop, dovecot/RestrictedAccessGroup. The value is a long group name. Members of the given group have IMAP access restricted to trusted networks.

In a next iteration an UI field can be added under Email > Mailboxes tab.

davidep (Davide Principi) 2018-01-18 13:34:47 UTC #9

I’ve updated the testing package. Now this new feature is available from a “subpackage”

yum --enablerepo=nethserver-testing update nethserver-mail-server
yum --enablerepo=nethserver-testing install nethserver-mail-server-ipaccess

The test case has been modified accordingly /cc @quality_team