You can disable POP3/IMAP/SMTP services by setting value of SQL column in 'vmail.mailbox' to 0:

- mailbox.enablepop3 (and mailbox.enablepop3secured)
- mailbox.enableimap (and mailbox.enableimapsecured)
- mailbox.enablesmtp (and mailbox.enablesmtpsecured)

But since Roundcube perform user authentication via IMAP protocol directly, if you disable IMAP service for this user, he/she cannot login to Roundcube webmail anymore.

Possible solution is, update Dovecot SQL query in /etc/dovecot/dovecot-mysql.conf, reject all IMAP requests if remote IP address is not the server which hosts Roundcube webmail (e.g. 127.0.0.1): Sample SQL query:

Reference: http://wiki2.dovecot.org/Variables (Search "remote ip")

Could you please show me which file(s) you actually modified? Paste whole file (without sensitive info like password) is better.

How about disable imap/smtp/pop3 in firewall directly?

I would better suggest to create new "service" webmail and corresponding attribute enablewebmail. The implementation could be similar as Dominique suggested.
It should enable IMAP and SMTP from localhost only.

Do you guys think it's better to check whether it's imap protocol and secure connection? For webmail running on localhost, it's always considered as secure connection by Dovecot. If webmail running on another server (not same as IMAP server), it's always good idea to use IMAPS or IMAP over TLS.

For example, in dovecot-mysql.conf, it looks like this:

*) For MySQL/PostgreSQL backends, what we need to do is adding new column (mailbox.enablewebmail) and index. If you have another webmail application running on other servers, just replace '%r'='127.0.0.1' by '%r' IN ('127.0.0.1', '192.168.1.1').
*) For OpenLDAP (or OpenBSD ldapd) backend, we have to add below LDAP attribute/value pair for all existing mail users.

enabledService=webmail-127.0.0.1-imapsecured

LDAP filter is not flexible like SQL query, so we have to hard-code remote IP address, protocol, secure connection in LDAP value. If you have multiple webmail servers, you have to add multiple values for ldap attribute 'enabledService' like below:

enabledService=webmail-192.168.1.1-imapsecured

Good or bad?

I believe Dovecot will always get the remote IP address.

IMO, your IMAP servers won't be changed too often, so i think it's acceptable to modify dovecot-xxsql.conf to add it. For ISP who has many mail servers, that will be a problem. But let's make it simpler right now.

P.S. Already committed into iRedMail source code, and upgrade steps were added in upgrade tutorial for upcoming iRedMail release.
https://bitbucket.org/zhb/iredmail/comm … ebe84e0c00

This wouldn't work as you turned it into 2 conditions that need to be met. 
The first condition will just disable every imapsecured connection, which is achieving the opposite of what we want here. 

I'll show you what would happen when trying to connect over imapsecured: 

AND (mailbox.enableimapsecured=1 AND 'imapsecured' <> 'imapsecured')

This would of course fail and refuse connection.

The right solution was already provided in this thread.

I don't think, it's wrong.
The first line is for all protocols but imapsecured.
The second is only for imapsecured and enables is correctly (enablewebmail required for localhost OR emableimapsecured for remote access)

I just did error - I used || instead of OR in SQL...

Correct is:

AND (mailbox.enable%Ls%Lc=1 AND '%Ls%Lc' <> 'imapsecured' )
AND ('%Ls%Lc' = 'imapsecured'  AND ((mailbox.enablewebmail=1 AND '%r'='127.0.0.1') OR (mailbox.enableimapsecured=1 AND '%r' <> '127.0.0.1')))

What do you mean by this?

Example 1:
connection from IP 192.168.0.11
remote_webmail_ips_attribute is "" (not set)

It evaluates to "" like '%192.168.0.11%' => FALSE

Example 2:
connection from IP 192.168.0.11
remote_webmail_ips_attribute is "192.168.0.11, 192.168.0.12"

It evaluates to "192.168.0.11, 192.168.0.12" like '%192.168.0.11%' => TRUE

It wouldn't work only in case %r will be empty - it shouldn't happen.

if you do whateverfield LIKE '%' which is the first of your 3 optional conditions it would always be met... try it

and for example, the last part of your query says

OR  '%'

what would this accomplish?

I just tried this on MySQL and it always fails the condition

while

OR '%r'

always is met again, as it will return TRUE

I see, I didnt' know that as I'm not familiar with postgresql... it seems to be different than all SQLs I used in the past.  As I do understand that every language can choose its own syntax, it's weird to use double pipes for anything else than what the world considers it to mean, which is an logical OR... IMHO

Yes, it's good to understand each other... I'll have to keep an open mind in the future when it comes to SQL syntax.

It's good that postgresql follows SQL standards... but I noticed they also support CONCAT (which is an SQL standard while || isn't) so I suppose it's also a nice idea to use these standards in your queries, whatever SQL you're using.... that way it's easier to maintain when one has to translate a query to a different SQL platform.  For that reason I would never use || in an statement instead of AND because I know that not every SQL supports it.  It seems like postgresql is also guilty when it comes to duplicating functions... wouldn't things be a lot easier is there was only 1 standard for everything?  (VHS/Betamax, DVD+R/DVD-R...)

And I do the same, SQL keywords in capitals and the rest in small letters... and never use capitals in table of field names, as some SQL platforms are case sensitive... even MySQL changed this a while ago, from not case sensitive, to case sensitive with the upgrade to a new version... cause quite the headache to people using CamelCaps.

Cheers to you!

It doen's have any reason from practice. It's just because I try to strictly follow the enable/disable logic of the attributes.

It should be the same logic like for example smtp:
If you enablesmtp=1, you expect it to be enabled, also if you enablesmtp=0, you expect the server to reject incoming mails via this SMTP AUTH account.
It doesn't depend on any other enableXXX.

In the same logic:
If you set enablewebmail=1, webmail should work w/o any additional requirements and if you set enablewebmail=0, it shouldn't work.

We both know, webmail works thru imap secure, but many users don't and they could wonder (and will by IMO right), why user can access webmail if he/she has enablewebmail=0.

If, we created new explicit rule to access webmail - so if the enablewebmail = 1, webmail should be accessible (no additional requirements) and also the opposite / if enablewebmail = 0, it shouldn't be accessible.