1 (edited by rk 2015-03-24 19:40:51)

Topic: Restricting authenticated sender IP

======== Required information ====
- iRedMail version: 0.9 + iRedAdmin-Pro 2.2.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Linux/BSD distribution name and version: FreeBSD 9.3
- Related log if you're reporting an issue: N/A
====

It's possible to restrict SMTP usage of specific authenticated senders to a (list of) IPs?

I'd like to create additional accounts for some (e.g. LAN) users with customised settings (limits) but I don't want this users to be able to use such accounts from WAN.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Restricting authenticated sender IP

iRedMail doesn't have such restriction for smtp service. But how about restrict them to only send to and receive from certain domains?

With the latest iRedAdmin-Pro, you can set a white/blacklist for these users in user profile page, under tab 'White/Blacklist". If you just want to allow these users to send to or receive from the same domain, add '@your_domain.com' as whitelisted senders, add '@.' (there's a dot after '@') as blacklisted senders.

If you want to restrict all users under one domain, please add above white/blacklist in domain profile page, under tab "White/Blacklist" to make it a per-domain setting.

3

Re: Restricting authenticated sender IP

I see I didn't make my point.

I need to restrict the sender to certain IPs. The sender is then allowed (if authenticated) to send mails to anyone.

I found this: http://wiki2.dovecot.org/PasswordDataba … /AllowNets and I will try to investigate in this direction, but maybe the restriction can be achieved by a custom iredapd plugin?

4

Re: Restricting authenticated sender IP

The link you provided is for Dovecot, which manages IMAP/POP3, not SMTP. You'll have to look into Postfix SMTPD Sender Maps if they have IP Relevant Access restrictions

5

Re: Restricting authenticated sender IP

I know, but Postfix is using Dovecot for SASL auth so I think it's a possible way. The APD solution seems feasible too.

6

Re: Restricting authenticated sender IP

Custom apd plugin could do it

7

Re: Restricting authenticated sender IP

rk wrote:

I know, but Postfix is using Dovecot for SASL auth so I think it's a possible way.

You're right, Postfix uses Dovecot for SASL auth, and Dovecot will query 'enabledService=smtp' (or smtpsecured) when Postfix performs smtp auth.

rk wrote:

I need to restrict the sender to certain IPs. The sender is then allowed (if authenticated) to send mails to anyone.

I found this: http://wiki2.dovecot.org/PasswordDataba … /AllowNets and I will try to investigate in this direction, but maybe the restriction can be achieved by a custom iredapd plugin?

This does work. I know this because another user contributed his steps here:
http://www.iredmail.org/forum/topic8771 … twork.html

If you check all posts in above link, you can see it doesn't support per-domain setting. But it should be fine if we simply update ALL mail accounts under same domain to have the same allowNets setting.

8

Re: Restricting authenticated sender IP

UPDATE:

I implemented this (allow_nets) in iRedMail:
https://bitbucket.org/zhb/iredmail/comm … 66cfd11f96

With next release of iRedMail, you can list allowed IP addresses and/or networks in LDAP attribute 'allowNets', or SQL column 'mailbox.allow_nets'. Multiple IPs/Nets must be separated by comma.

9

Re: Restricting authenticated sender IP

Works like a charm! Thanks a lot!