1 (edited by system-license 2018-10-15 14:34:39)

Topic: restrict ip access for administrator

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by system-license 2018-10-15 12:46:22)

Re: restrict ip access for administrator

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  0.9.7
- Linux/BSD distribution name and version: centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? yes 3.1
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

In iredmail, under advance setting there is restrict mail user to login from specified IP addresses or networks.
It supposed to allow only the specified ip to login under the user login.
However, upon setting it, it does not take effect, do we need to restart the service to take effect?

3

Re: restrict ip access for administrator

This is IP restrictions for POP3/IMAP/SMTP services, not for iRedAdmin-Pro login.

4

Re: restrict ip access for administrator

To restrict IP login for iRedAdmin-Pro, please use the Nginx builtin ACL, we have sample config in Nginx config file /etc/nginx/templates/iredadmin.tmpl like below:

location ~ ^/iredadmin(.*) {
    ...

    # Access control
    #allow 127.0.0.1;
    #allow 192.168.1.10;
    #allow 192.168.1.0/24;
    #deny all;
}

You need to uncomment the 'allow', 'deny' lines, and replace above sample IP addresses/networks by your real ones.

5

Re: restrict ip access for administrator

ZhangHuangbin wrote:

To restrict IP login for iRedAdmin-Pro, please use the Nginx builtin ACL, we have sample config in Nginx config file /etc/nginx/templates/iredadmin.tmpl like below:

location ~ ^/iredadmin(.*) {
    ...

    # Access control
    #allow 127.0.0.1;
    #allow 192.168.1.10;
    #allow 192.168.1.0/24;
    #deny all;
}

You need to uncomment the 'allow', 'deny' lines, and replace above sample IP addresses/networks by your real ones.

If we use the above, will it block all users from logining in except from the specified IP? We are hoping allow the specified IP for the global admin login only and not all users. Is this possible?

Thanks

6

Re: restrict ip access for administrator

system-license wrote:

If we use the above, will it block all users from logining in except from the specified IP? We are hoping allow the specified IP for the global admin login only and not all users. Is this possible?

Oh, this is simpler.

Add setting "GLOBAL_ADMIN_IP_LIST" in iRedAdmin-Pro config file "settings.py" like below, then restart uwsgi service.

# List of IP addresses which global admins are allowed to login from.
# e.g. ['127.0.0.1', '192.168.1.1']
# Valid formats:
#   - Single IP addess: 192.168.1.1
#   - IP range:         192.168.1.1-30
#   - Whole subnet:     192.168.1
GLOBAL_ADMIN_IP_LIST = ['192.168.1.1', '192.168.2.1']

7

Re: restrict ip access for administrator

ZhangHuangbin wrote:
system-license wrote:

If we use the above, will it block all users from logining in except from the specified IP? We are hoping allow the specified IP for the global admin login only and not all users. Is this possible?

Oh, this is simpler.

Add setting "GLOBAL_ADMIN_IP_LIST" in iRedAdmin-Pro config file "settings.py" like below, then restart uwsgi service.

# List of IP addresses which global admins are allowed to login from.
# e.g. ['127.0.0.1', '192.168.1.1']
# Valid formats:
#   - Single IP addess: 192.168.1.1
#   - IP range:         192.168.1.1-30
#   - Whole subnet:     192.168.1
GLOBAL_ADMIN_IP_LIST = ['192.168.1.1', '192.168.2.1']

Hi Huang Bin
Would like to confirm if the above really apply to Global admin and not domain admin or mailbox user.
The reason is because there is no parameter to identify the global admin name to be applied  for the access list. Thus we hope to double confirm on this.

Thanks

8

Re: restrict ip access for administrator

can confirm this only apply to global admin and not affect other user using it?

9

Re: restrict ip access for administrator

system-license wrote:

can confirm this only apply to global admin and not affect other user using it?

Yes it only applies to global admins.