1

Topic: How to allow only access through webmail (roundcube) for a user?

Hi.
I got a question. How can I disable remote SMTP/POP/IMAP access for a particular user, and allow only through webmail (roundcube).
I can't simply set "enableimap" to 0 in `mailbox` table because then roundcube won't work (it uses IMAP).

Also, simply disabling SMTP and POP3 (enablesmtp, enablepop3) would not be enough, he/she could still use IMAP.

Is there a quick way to this? Preferably using the MySQL tables, so I can write a PHP script to easy enable/disable?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: How to allow only access through webmail (roundcube) for a user?

No idea yet. Because roundcube uses IMAP, so it's not possible to control webmail.

I think you can hack roundcube, check user access privilege with MYSQL query before/after user authentication. such as:

SELECT username WHERE username='www@example.com' AND enablewebmail='1'

3

Re: How to allow only access through webmail (roundcube) for a user?

I don't think that would be enough, because Roundcube also uses IMAP to read user's mails, and will totally block if he/she doesn't have IMAP enabled.

I will research into it, to see if I can make a mysql map for postfix, IP dependent. The problem, how I see it right now, is that Postfix doesn't send IP when checking check_recipient_access & co, only username.

4 (edited by maxie_ro 2009-10-20 20:22:11)

Re: How to allow only access through webmail (roundcube) for a user?

I found a way to disable remote POP3/IMAP, and allow only locally.

Add another field to `mailbox` table, called `pwd_change_enforced` (or whatever). If set to 0 (default), everything ok. If set to 1, user cannot login remotely, can only use roundcube (which will immediately redirect him to password change page).

and then modify "user_query" in dovecot-mysql.conf to:

user_query = SELECT CONCAT(storagebasedirectory, '/', maildir) AS home, CONCAT('*:bytes=', quota*1048576) AS quota_rule FROM mailbox WHERE username='%u' AND active='1' AND enable%Ls='1' AND expired >= NOW() AND (pwd_change_enforced = 0 OR (pwd_change_enforced=1 AND ('%l' = '%r')))

%l expands into local address (127.0.0.1), %r expands to remote IP. If remote IP = local IP, then user is accessing mail using roundcube big_smile.
Tested and working exactly as expected.
Lemme see what I can do about postfix (smtp) now...

5

Re: How to allow only access through webmail (roundcube) for a user?

If remote IP = local IP, then user is accessing mail using roundcube

Nice solution.
But it will fail if SA deployes Roundcube on another server. tongue

And i think 'pwd_change_enforced' column is not required in this case. smile

6 (edited by maxie_ro 2009-10-20 20:42:47)

Re: How to allow only access through webmail (roundcube) for a user?

Well, I was talking about my own server. Roundcube is running here... But that can be modified...

...... AND (pwd_change_enforced = 0 OR (pwd_change_enforced=1 AND ('xx.xx.xx.xx' = '%r')))

`pwd_change_enforced` is required actually because I want certain users to change their password because they have very very weak passwords.  So, if I put `pwd_change_enforced` to 1 and enablesmtp to 0, they won't be able to use Outlook/Thunderbird to read mail, and nothing to send mail (roundcube included). They will have to login to roundcube, and when they do, they'll get redirected to the password change page, with a big warning that they must change password. After they do, `pwd_change_enforced` gets set back to 0 and enablesmtp to 1 and everything is ok again.

Obviously, this will only work with an MySQL-enabled server, not LDAP. But I guess something similar can be done with LDAP too.

7

Re: How to allow only access through webmail (roundcube) for a user?

OK, first problem.. They can send mail from roundcube even if `enablesmtp` = 0 in `mailbox`, because

mynetworks = 127.0.0.0/8

in "main.cf" for postfix.

Can I remove "permit_mynetworks" from "smtpd_sender_restrictions" so the flag in the database gets actually used when sending from roundcube (127.0.0.1)?