Link to home
Create AccountLog in
Avatar of Marco van Beek
Marco van BeekFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Limiting remote access to Cyrus IMAP mailboxes

I am looking for a way to restrict remote access to our IMAP server for some users so that they can only access it from the local network, and not externally. I could do this with some sort of proxy server, but that does seem to be a rather large hammer for a fairly small nail. Every other service we run has the ability to restrict access via IP address in some way.

Out IMAP server is running Cyrus on Ubuntu 10:04 LTS.

Any ideas, anyone?
Avatar of noci
noci

Ever thought about the /etc/host.allow  file:
add entries like:

imap: yr.net.addr.0/255.255.255.0
imaps: yr.net.addr.0/255.255.255.0
pop: yr.net.addr.0/255.255.255.0
pops: yr.net.addr.0/255.255.255.0

That should work.. (For most servers anyway).
Do you want to block remote access by everyone?  Block the IMAP port at the firewall.  
For just some IP addresses?  You can use the hosts.allow or the firewall again.
If some people need to have access to the IMAP server from Remote locations, is it possible to give them a VPN connection to the network and then block any non-LAN connection?

As usual there are probably several ways to do it, but without knowing more of the exact situation, it's a little hard to suggest more.
Avatar of Marco van Beek

ASKER

We only want to limit certain users, not a wholesale external block (otherwise I could just firewall the ports off, or in this specific case, turn off port forwarding through the NAT gateway). VPN is a problem because of people using mobile devices that have no way of automatically triggering a vpn connection before checking email, and leavign the VPN running just sucks the battery life.

In Apache, for example, we have a group that is allowed access from non-local addresses and all the rest only have local access.

Ideally I am looking for something similar for imapd.conf or cyrus.conf.
AFAICT, cyrus imap has no support for that.

If your users are in ldap you might be able to create a query that accepts when that address is right, and presents non existent user if the address is "bad" but that's really a bit beyond me.
Some wild idea:
Then again if you can solve it for apache, can apache be used as a reverse proxy for this?
Yes, I could use a proxy, although probably not Apache.There are a few out there, but I would still need to find out how each of their authentication mechanism works to know if it was feasible.

We use ldap as the authentication database, but that doesn't care where the user is in the world. One option might be to run two different imapd.conf files, one for the internal network and one for the external one, with different authentication requirements, but again, all sounds like a bit of a bodge at the moment.
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Looks like what I want to do isn't possible in the way I would like to do it. Oh well. Back to the drawing board!