1 (edited by murali 2019-04-29 19:09:02)

Topic: Sogo not listing folders after ip based login restrictions

=== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer?downloadable installe
- Linux/BSD distribution name and version: Linux/Debian9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx):Nginix
- Manage mail accounts with iRedAdmin-Pro?Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi
I have applied ip based login restriction from admin panel for some users . I am unable to login from other ip which i have not entered in "Restrict to login from specified addresses". If i login from allowed ip from sogo, the mail folders are not listed and  it gives message as "no mailbox selected". if i disable ip restriction then sogo lists all mail folders. Please help me to sort this issue

Thanks & Regards
Murali

----

2

Re: Sogo not listing folders after ip based login restrictions

Any error in SOGo log file (/var/log/sogo/sogo.log)? and Dovecot log files (/var/log/dovecot/*.log)?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Sogo not listing folders after ip based login restrictions

Ok i will check and post the log

Thank You

4 (edited by murali 2019-05-02 18:45:38)

Re: Sogo not listing folders after ip based login restrictions

The imap.log shows as below

From : sogo

May  2 15:44:25 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<hari@itechservices.in>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<hvqS5eSHatp/AAAB>
May  2 15:44:25 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<hari@itechservices.in>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Sr2x5eSHcNp/AAAB>

From:Roundcube

May  2 16:01:50 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<hari@itechservices.in>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<i8U/JOWH5uh/AAAB>

If i try to login from roundcube it shows error as login failed.
If users login from outlook with imap or pop3 account, the ip based restriction works fine.

Thank You

5

Re: Sogo not listing folders after ip based login restrictions

Does it work if you also list "127.0.0.1" as allowed client IP?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

6

Re: Sogo not listing folders after ip based login restrictions

ZhangHuangbin wrote:

Does it work if you also list "127.0.0.1" as allowed client IP?

Yes, it is working but the restriction is not working. Users can login from anywhere using  sogo and roundcube in spite of ip restriction. .

7

Re: Sogo not listing folders after ip based login restrictions

murali wrote:

If i login from allowed ip from sogo, the mail folders are not listed and  it gives message as "no mailbox selected".

Could you please turn on debug mode in Dovecot first, then try SOGo login again?
I expect SOGo to log some info relevant to "allow_nets", we need this log for troubleshooting.

FYI: https://docs.iredmail.org/debug.dovecot.html

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

8

Re: Sogo not listing folders after ip based login restrictions

ZhangHuangbin wrote:
murali wrote:

If i login from allowed ip from sogo, the mail folders are not listed and  it gives message as "no mailbox selected".

Could you please turn on debug mode in Dovecot first, then try SOGo login again?
I expect SOGo to log some info relevant to "allow_nets", we need this log for troubleshooting.

FYI: https://docs.iredmail.org/debug.dovecot.html

Sorry for the delay . I will enable debug mode and post the log.

Thank you

9 (edited by murali 2019-10-08 16:10:44)

Re: Sogo not listing folders after ip based login restrictions

murali wrote:
ZhangHuangbin wrote:
murali wrote:

If i login from allowed ip from sogo, the mail folders are not listed and  it gives message as "no mailbox selected".

Could you please turn on debug mode in Dovecot first, then try SOGo login again?
I expect SOGo to log some info relevant to "allow_nets", we need this log for troubleshooting.

FYI: https://docs.iredmail.org/debug.dovecot.html

Sorry for the delay . I will enable debug mode and post the log.

Thank you



Sorry for the delay in posting the sogo log with dovecot debug enabled mode. Please find below the log of sogo.

allowed ip for login =  27.5.145.153

SOGO LOG
---------------
Oct 08 13:29:03 sogod [21079]: SOGoRootPage successful login from '27.5.145.153' for user 'md@pro2col.in' - expire = -1  grace = -1
Oct 08 13:29:03 sogod [21079]: 27.5.145.153 "POST /SOGo/connect HTTP/1.0" 200 37/70 0.148 - - 0
Oct 08 13:29:04 sogod [21079]: 27.5.145.153 "GET /SOGo/so/md%40pro2col.in HTTP/1.0" 302 0/0 0.004 - - 0
Oct 08 13:29:04 sogod [21079]: 27.5.145.153 "GET /SOGo/so/md%40pro2col.in/view HTTP/1.0" 302 0/0 0.007 - - 0
Oct 08 13:29:05 sogod [21079]: 27.5.145.153 "GET /SOGo/so/md@pro2col.in/Mail HTTP/1.0" 302 0/0 0.001 - - 0
Oct 08 13:29:05 sogod [21079]: 27.5.145.153 "GET /SOGo/so/md@pro2col.in/Mail/view HTTP/1.0" 200 18925/0 0.022 81494 76% 0
Oct 08 13:29:07 sogod [21079]: 27.5.145.153 "GET /SOGo/so/md@pro2col.in/Calendar/alarmslist?browserTime=1570522001 HTTP/1.0" 200 63/0 0.012 - - 0
Oct 08 13:29:09 sogod [21079]: [ERROR] <0x0x560e0925f080[NGImap4ConnectionManager]> IMAP4 login failed:
  host=127.0.0.1, user=md@pro2col.in, pwd=yes
  url=imap://md%40pro2col.in@127.0.0.1/
  base=(null)
  base-class=(null))
  = <0x0x560e0bbeeca0[NGImap4Client]: login=md@pro2col.in(pwd) socket=<NGActiveSocket[0x0x560e0b8620b0]: mode=rw address=<0x0x560e0aaeabf0[NGInternetSocketAddress]: host=localhost.localdomain port=55024> connectedTo=<0x0x560e0b8eac50[NGInternetSocketAddress]: host=127.0.0.1 port=143>>>
Oct 08 13:29:09 sogod [21079]: <0x560e0bbcd1b0[SOGoMailAccount]:0> renewing imap4 password
Oct 08 13:29:15 sogod [21079]: [ERROR] <0x0x560e0925f080[NGImap4ConnectionManager]> IMAP4 login failed:
  host=127.0.0.1, user=md@pro2col.in, pwd=yes
  url=imap://md%40pro2col.in@127.0.0.1/
  base=(null)
  base-class=(null))
  = <0x0x560e0bbb2640[NGImap4Client]: login=md@pro2col.in(pwd) socket=<NGActiveSocket[0x0x560e0a002840]: mode=rw address=<0x0x560e0a0028b0[NGInternetSocketAddress]: host=localhost.localdomain port=55048> connectedTo=<0x0x560e0a0079a0[NGInternetSocketAddress]: host=127.0.0.1 port=143>>>
Oct 08 13:29:15 sogod [21079]: [ERROR] <0x560e0bbcd1b0[SOGoMailAccount]:0> Could not connect IMAP4
Oct 08 13:29:15 sogod [21079]: 27.5.145.153 "GET /SOGo/so/md@pro2col.in/Mail/0/view HTTP/1.0" 200 17/0 8.041 - - 0
Oct 08 13:29:17 sogod [21079]: [ERROR] <0x0x560e0925f080[NGImap4ConnectionManager]> IMAP4 login failed:
  host=127.0.0.1, user=md@pro2col.in, pwd=yes
  url=imap://md%40pro2col.in@127.0.0.1/
  base=(null)
  base-class=(null))
  = <0x0x560e0acaa280[NGImap4Client]: login=md@pro2col.in(pwd) socket=<NGActiveSocket[0x0x560e0bb9a5c0]: mode=rw address=<0x0x560e0b86daa0[NGInternetSocketAddress]: host=localhost.localdomain port=55132> connectedTo=<0x0x560e0ad33570[NGInternetSocketAddress]: host=127.0.0.1 port=143>>>
Oct 08 13:29:17 sogod [21079]: <0x560e0b948390[SOGoMailAccount]:0> renewing imap4 password
Oct 08 13:29:19 sogod [21079]: [ERROR] <0x0x560e0925f080[NGImap4ConnectionManager]> IMAP4 login failed:
  host=127.0.0.1, user=md@pro2col.in, pwd=yes
  url=imap://md%40pro2col.in@127.0.0.1/
  base=(null)
  base-class=(null))
  = <0x0x560e0ad31250[NGImap4Client]: login=md@pro2col.in(pwd) socket=<NGActiveSocket[0x0x560e09ffe660]: mode=rw address=<0x0x560e0b94e2d0[NGInternetSocketAddress]: host=localhost.localdomain port=55156> connectedTo=<0x0x560e0b929670[NGInternetSocketAddress]: host=127.0.0.1 port=143>>>
Oct 08 13:29:19 sogod [21079]: [ERROR] <0x560e0b948390[SOGoMailAccount]:0> Could not connect IMAP4
Oct 08 13:29:19 sogod [21079]: 27.5.145.153 "POST /SOGo/so/md@pro2col.in/Mail/unseenCount HTTP/1.0" 200 21/31
0 41/46 0.378 - - 0
Oct 08 13:30:14 sogod [21079]: 27.5.145.153 "POST /SOGo/so/md@pro2col.in/Mail/saveFoldersState HTTP/1.0" 204 0/2 0.096 - - 0
Oct 08 13:30:17 sogod [21079]: SOGoUserHomePage user 'md@pro2col.in' logged off
Oct 08 13:30:17 sogod [21079]: 27.5.145.153 "GET /SOGo/so/md@pro2col.in/logoff HTTP/1.0" 302 0/0 0.102 - - 0
Oct 08 13:30:17 sogod [21079]: 27.5.145.153 "GET /SOGo/so/ HTTP/1.0" 200 7368/0 0.027 27170 72% 0

10

Re: Sogo not listing folders after ip based login restrictions

dovecot log
---------------

Oct  8 13:29:13 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<HPoLi2GUCNd/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:29:13 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<HPoLi2GUCNd/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:29:13 mail dovecot: auth: Debug: sql(md@pro2col.in,127.0.0.1,<HPoLi2GUCNd/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:29:13 mail dovecot: auth: sql(md@pro2col.in,127.0.0.1,<HPoLi2GUCNd/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:29:15 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=md@pro2col.in
Oct  8 13:29:15 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<eoJui2GUXNd/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='md@pro2col.in' AND mailbox.`enableimapsecured`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
Oct  8 13:29:15 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<eoJui2GUXNd/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:29:15 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<eoJui2GUXNd/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:29:15 mail dovecot: auth: Debug: sql(md@pro2col.in,127.0.0.1,<eoJui2GUXNd/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:29:15 mail dovecot: auth: sql(md@pro2col.in,127.0.0.1,<eoJui2GUXNd/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:29:17 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=md@pro2col.in
Oct  8 13:29:17 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<VSyGi2GUdNd/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='md@pro2col.in' AND mailbox.`enableimapsecured`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
Oct  8 13:29:17 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<VSyGi2GUdNd/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:29:17 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<VSyGi2GUdNd/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:29:17 mail dovecot: auth: Debug: sql(md@pro2col.in,127.0.0.1,<VSyGi2GUdNd/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:29:17 mail dovecot: auth: sql(md@pro2col.in,127.0.0.1,<VSyGi2GUdNd/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:29:19 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=md@pro2col.in
Oct  8 13:38:41 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<HQQtrWGUdo5/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='md@pro2col.in' AND mailbox.`enableimapsecured`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
Oct  8 13:38:41 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<HQQtrWGUdo5/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:41 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<HQQtrWGUdo5/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:41 mail dovecot: auth: Debug: sql(md@pro2col.in,127.0.0.1,<HQQtrWGUdo5/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:41 mail dovecot: auth: sql(md@pro2col.in,127.0.0.1,<HQQtrWGUdo5/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:43 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=md@pro2col.in
Oct  8 13:38:47 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<uSFErWGUio5/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='md@pro2col.in' AND mailbox.`enableimapsecured`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
Oct  8 13:38:47 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<uSFErWGUio5/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:47 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<uSFErWGUio5/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:47 mail dovecot: auth: Debug: sql(md@pro2col.in,127.0.0.1,<uSFErWGUio5/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:47 mail dovecot: auth: sql(md@pro2col.in,127.0.0.1,<uSFErWGUio5/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:49 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=md@pro2col.in
Oct  8 13:38:49 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<vEWnrWGUFI9/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='md@pro2col.in' AND mailbox.`enableimapsecured`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
Oct  8 13:38:49 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<vEWnrWGUFI9/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:49 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<vEWnrWGUFI9/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:49 mail dovecot: auth: Debug: sql(md@pro2col.in,127.0.0.1,<vEWnrWGUFI9/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:49 mail dovecot: auth: sql(md@pro2col.in,127.0.0.1,<vEWnrWGUFI9/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:51 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=md@pro2col.in
Oct  8 13:38:51 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<fnS+rWGUMI9/AAAB>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='md@pro2col.in' AND mailbox.`enableimapsecured`=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
Oct  8 13:38:51 mail dovecot: auth-worker(13607): Debug: sql(md@pro2col.in,127.0.0.1,<fnS+rWGUMI9/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:51 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<fnS+rWGUMI9/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:51 mail dovecot: auth: Debug: sql(md@pro2col.in,127.0.0.1,<fnS+rWGUMI9/AAAB>): allow_nets: Matching for network 27.5.145.153
Oct  8 13:38:51 mail dovecot: auth: sql(md@pro2col.in,127.0.0.1,<fnS+rWGUMI9/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks
Oct  8 13:38:53 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=md@pro2col.in


Thank You
Murali

11

Re: Sogo not listing folders after ip based login restrictions

murali wrote:

Oct  8 13:38:51 mail dovecot: auth-worker(13607): sql(md@pro2col.in,127.0.0.1,<fnS+rWGUMI9/AAAB>): allow_nets check failed: IP 127.0.0.1 not in allowed networks

It's clear here, you set to disallow user this to login from 127.0.0.1 which is webmail.

Check the value in SQL table "vmail.mailbox", column "allow_nets" for this user with SQL commands below:

USE vmail;
SELECT username, allow_nets FROM mailbox WHERE username="<email>" LIMIT 1;

Replace <email> by the real email address while querying.

You should remove the "127.0.0.1" in the SQL value. If you don't want to restrict it, set it to NULL (Not empty value "", but SQL NULL).

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

12

Re: Sogo not listing folders after ip based login restrictions

If i remove 127.0.0.1 from allow_nets, it is not accessible even from allowed ip. If i add the ip 127.0.0.1 to the allow_nets then the roundcube is accessible from any ip. I need ip based login restriction from roundcube or sogo . I am posting the sql query below .

Below is without any restriction

MariaDB [vmail]> SELECT username, allow_nets FROM mailbox WHERE username="md@pro2col.in" LIMIT 1;
+---------------+------------+
| username      | allow_nets |
+---------------+------------+
| md@pro2col.in | NULL       |
+---------------+------------+
1 row in set (0.00 sec)

Below is with ip based restriction which does not login even from allow_nets ip

MariaDB [vmail]> SELECT username, allow_nets FROM mailbox WHERE username="md@pro2col.in" LIMIT 1;
+---------------+----------------+
| username      | allow_nets     |
+---------------+----------------+
| md@pro2col.in | 122.165.122.65 |
+---------------+----------------+
1 row in set (0.00 sec)

Below is restriction with 127.0.0.1 added to allow_nets but restriction not working and accessible from any where

MariaDB [vmail]> SELECT username, allow_nets FROM mailbox WHERE username="md@pro2col.in" LIMIT 1;
+---------------+--------------------------+
| username      | allow_nets               |
+---------------+--------------------------+
| md@pro2col.in | 122.165.67.122,127.0.0.1 |
+---------------+--------------------------+
1 row in set (0.00 sec)


Thank You
Murali