Restricted access to webmail

email-module

(Gabriel GHEORGHIU) #1

In certain circumstances, is necessary that some users to not have access to email through webmail (any webmail client/app: SOGO, WebTop, …) but only through desktop apps (Outlook, Thunderbird, …).
For example:

  • John DOE, john.doe@mycompany.tld, may have access to email only through TB installed on his workstation, only when he is inside company (he can send and receive emails, inside or outside company).
  • Jane DOE, jane.doe@mycompany.tld, may have access to email through TB installed on her workstation when she is inside company (she can send and receive emails, inside or outside company) and when she is outside company, she may use webmail (any webmail client/app: SOGO, WebTop, …).

In my opinion, this can be done in the following ways:

  1. by user email address (Management -> Email addresses -> User mailboxes: Access to webmail (check box: enabled / disabled, enabled by default)
    or
  2. by groups (by adding the user to one of the groups - mandatory choice):
    a) Access to webmail (any webmail client/app: SOGO, WebTop, …)
    b) No access to webmail (any webmail client/app: SOGO, WebTop, …)
    or
  3. by group (the access to webmail is granted by default):
    a) No access to webmail (any webmail client/app: SOGO, WebTop, …), by adding the user to this group.

QUESTION: how hard is to implement this feature in one of the ways from above?

TIA,
Gabriel


(Filippo Carletti) #2

I’m not sure to understand the request, but maybe IP-based access restrictions could be a starting point.

http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-mail.html#ip-based-imap-access-restriction


(Saito Benkei) #3

From what I understand GG_jr wants some users to access the mail both via webmail(*) and via client (**) while others can access the mail only through a client, so without the possibility of access via webmail.

(*) SOGo/Webtop/Roundcube/etc…
(**) Thunderbird/Outlook/Apps that connect via IMAP/POP3/SMTP to mail server.


(Gabriel GHEORGHIU) #4

Yes, you are absolutely right!
I saw some email servers which can restrict access to webmail and how I said, under specific circumstances (security reasons), this is a very useful feature.


(Gabriel GHEORGHIU) #5

This can be restrict easy, but how can we restrict webmail access?


(Stéphane de Labrusse) #6

If you want to restrict with out or in your LAN, this could be easy, for your direct Issue, each webmail must be adapted I guess

for SOGo, check https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap, precisely the filter (optional) you could make some conditional command, must be on this group and valid for example


(Rob Bosch) #7

This is something that in the MS world would be handled through GPO, wouldn’t it?
Depending on what webclient(s) you have installed, you could do it either at application level or by restricting webaccess to the webclient…
I am not sure what would be thje most convenient (read: least intrusive for the admin)


(Gabriel GHEORGHIU) #8

Thanks everyone for replies!
Please look at the screenshot from below.
It’s an example for how this feature is implemented.
When “Enable Web Access” is unchecked, the user can reach the login page of the webmail, can enter the username and password, but after clicking on the sign-in button, a message warns the user that this feature (webmail) is not available to him.


(Stéphane de Labrusse) #9

What is the webmail used here?


(Gabriel GHEORGHIU) #10

If you refer to the email server, it’s iMail from IPSWITCH.


(Stéphane de Labrusse) #11

Yep but the webmail of this email server is?


(Gabriel GHEORGHIU) #12

Sincerely, I have no idea! AFAIK, is developed by them.
Long time ago I have used an old version, for many years. I still use that version at a customer …
If want more info, please visit their site. It’s for Windows. :wink:


(Markus Neuberger) #13

It seems possible to block webmail via IMAP IP access restrictions as @filippo_carletti suggested.

I created a group “nowebmail”, installed nethserver-mail-ipaccess and created a custom template:

mkdir -p /etc/e-smith/templates-custom/etc/dovecot/ipaccess.conf/

Create /etc/e-smith/templates-custom/etc/dovecot/ipaccess.conf/90customblock with following content:

nowebmail@domain.local = 192.168.0.0/24

This worked perfectly for roundcube as it uses imap login. It works for SoGo as you don’t see the mailbox but login works and for webtop but there are errors about connecting to IMAP. For webtop you may disable the user as webtop admin to restrict access.

This way you could turn on/off webmail and local/www clients by group like:

onlywebmail@domain.local = 127.0.0.1
onlyvpn@domain.local = 192.168.55.0/24

Another (additional) method is the ldap filter method tough it does not work for roundcube. SoGo and webtop use the ldap filter so you may exclude users by group as @stephdl suggested.