Timo Neuvonen
2006-Mar-11 10:56 UTC
[Dovecot] Limiting Dovecot access by user-spesific ip addresses?
Hi, Is there any possibility to limit access to mailboxes by user-spesific ip addresses? So, I'd like to have a configuration which by default restricts reading emails to company's own ip-address range. So far, this could be achieved by a basic firewall rule, but not any more the following: However, there is need for a few users to access their emails from world-wide internet, so there should be a possibility to define for certain users an option to skip the allowed address range check. Regards, Timo
Timo Sirainen
2006-Mar-11 11:16 UTC
[Dovecot] Limiting Dovecot access by user-spesific ip addresses?
On Mar 11, 2006, at 12:56 PM, Timo Neuvonen wrote:> Is there any possibility to limit access to mailboxes by user- > spesific ip > addresses?Yes, but I added it only a while ago so it's still only in CVS. Also you'll need a userdb which allows you to specify "extra options", eg. passwd-file, sql, ldap. Syntax is eg.: allow_nets=192.168.0.0/16,127.0.0.0/8 -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20060311/abcfd0ed/attachment.bin>
Bob Hope
2006-Mar-11 15:15 UTC
[Dovecot] Limiting Dovecot access by user-spesific ip addresses?
If your users are stored in MySQL, couldn't a variable be added to the dovecot-sql.conf section to do something like "user_query = SELECT home, uid, gid FROM users WHERE userid = '%u' and ip='%ip'"? I realize the %ip would have to be added, but that should be an easy addition. Then you can just put an ip range or single ip in the MySQL table from which the user is allowed to authenticate. Tom Timo Neuvonen wrote:> Hi, > > Is there any possibility to limit access to mailboxes by user-spesific ip > addresses? > > So, I'd like to have a configuration which by default restricts reading > emails to company's own ip-address range. So far, this could be achieved by > a basic firewall rule, but not any more the following: > > However, there is need for a few users to access their emails from > world-wide internet, so there should be a possibility to define for certain > users an option to skip the allowed address range check. > > > Regards, > Timo > > > >