1 Topic by mathewfer

  • mathewfer
  • Member
  • Offline
  • Registered: 2015-02-22
  • Posts: 40

Topic: Roundcube - block from internet while allow SMTPS and lets encrypt

Hi iRedmail team,

I recently migarted from old iRedmail to new iRedmail 1.7.2 and mail transfer was done properly and setup is working. It is also setup with Lets encrypt certificate so that Secure IMAP and Secure SMTP to access from mail clients from phones/tablets when outside (from internet).

I can access HTTPS Roundcube Webmail from local LAN and from internet.

All the accesses are working as expected and spam situation/filtering is also working well (improved now).


My question:
I want to disable "Roundcube Webmail" from internet for security reasons and only allow from LAN (or when VPN in). How can I do this?


My Internet router (Synology_RT2600AC) does provide a basic firewall and done port forwarding for port 80, 443, 587 & 993.

Port 80 and 443 is required for lets encrypt to work. Therefore, it is not possible to block 80 and 443 to stop access Roundcube from internet.

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): iRedMail-1.7.2
- Deployed with iRedMail Easy or the downloadable installer? - Downloadable installer
- Linux/BSD distribution name and version: Ubuntu 24.04.2 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No, iRedAdmin (none-pro)
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by TiTo

  • TiTo
  • Member
  • Offline
  • Registered: 2021-08-29
  • Posts: 35

Re: Roundcube - block from internet while allow SMTPS and lets encrypt

Depending on whether you are using Nginx or Apache, it is very easy to achieve what you want by configuring the HTTP server with the allow and deny directives. For example, for Nginx, please refer to https://nginx.org/en/docs/http/ngx_http … module.htm If you installed iRedMail using iRedMail Easy or EE, please consult with Zhang, who will guide you on how to accomplish this through a custom directory, ensuring that all subsequent updates proceed without issues.

3 Reply by mathewfer

  • mathewfer
  • Member
  • Offline
  • Registered: 2015-02-22
  • Posts: 40

Re: Roundcube - block from internet while allow SMTPS and lets encrypt

Thanks TiTo for the link. I read the link and tried it as below but I still could access it from Internet. I did restart the ngnix server with "service nginx restart".

Can I please know what I am doing wrong here?

Please suggest what should be changed here to get this working.

root@smtp:/etc/nginx# cat /etc/nginx/sites-enabled/00-default.conf
#
# Note: This file must be loaded before other virtual host config files,
#
# HTTP
server {
    # Listen on ipv4
    listen 80;
    listen [::]:80;

    server_name _;

    # Allow ACME challenge to be served over HTTP (don't redirect to HTTPS).
    location ~* ^/.well-known/acme-challenge/ {
        root /opt/www/well_known;
        try_files $uri =404;
        allow all;
    }

    # Redirect all insecure http requests to https.
    location / {
        allow 192.168.1.0/24; # Allow access only from IP 192.168.1.0/24 local LAN subnet
        deny  all; # Deny all other IP addresses
        return 301 https://$host$request_uri;
    }
}
root@smtp:/etc/nginx# cat /etc/nginx/sites-enabled/00-default-ssl.conf
#
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;

    root /var/www/html;
    index index.php index.html;

    location / {
     allow 192.168.1.0/24; # Allow access only from IP 192.168.1.0/24 local LAN subnet
     deny all; # Deny all other IP addresses
    }

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}
root@smtp:/etc/nginx#
TiTo wrote:

Depending on whether you are using Nginx or Apache, it is very easy to achieve what you want by configuring the HTTP server with the allow and deny directives. For example, for Nginx, please refer to https://nginx.org/en/docs/http/ngx_http … module.htm If you installed iRedMail using iRedMail Easy or EE, please consult with Zhang, who will guide you on how to accomplish this through a custom directory, ensuring that all subsequent updates proceed without issues.

4 Reply by TiTo (edited by TiTo 2025-03-01 02:32:17)

  • TiTo
  • Member
  • Offline
  • Registered: 2021-08-29
  • Posts: 35

Re: Roundcube - block from internet while allow SMTPS and lets encrypt

edit /etc/nginx/templates/roundcube.tmpl

Find

location ~ ^/mail/(.*\.php)$ {
## add bellow

    allow 192.168.1.0/24;
    deny all;


systemctl reload nginx

5 Reply by mathewfer

  • mathewfer
  • Member
  • Offline
  • Registered: 2015-02-22
  • Posts: 40

Re: Roundcube - block from internet while allow SMTPS and lets encrypt

Hi TiTo,

Thank you very much. I just changed it as per your suggestion below, tested it and it worked as expected.

I believe we need all below 3 files to set for this to fully block access from internet.

1. /etc/nginx/sites-enabled/00-default.conf
2. /etc/nginx/sites-enabled/00-default-ssl.conf
3. /etc/nginx/templates/roundcube.tmpl

TiTo wrote:

edit /etc/nginx/templates/roundcube.tmpl

Find

location ~ ^/mail/(.*\.php)$ {
## add bellow

    allow 192.168.1.0/24;
    deny all;


systemctl reload nginx

6 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 945

Re: Roundcube - block from internet while allow SMTPS and lets encrypt

i don't understand the security reasons.

so, imap, pop3 and smtp are still reachable from outside, and you ony want to restrict roundcube?
that makes zero sense and is not a security improvement at all, since roundcube only acts as mail client with webinterface and is nothing different than a mail client on a phone or pc

7 Reply by mathewfer

  • mathewfer
  • Member
  • Offline
  • Registered: 2015-02-22
  • Posts: 40

Re: Roundcube - block from internet while allow SMTPS and lets encrypt

Hi Cthulhu,

Thank you for the question.

I want to stop access to as many services as possible from public access. That is my objective for the security when I say it.

I am exploring options to allow only port 25 and for clients to access email via VPN when in outside.
I think it is possible but I did not find a way still.


Cthulhu wrote:

i don't understand the security reasons.

so, imap, pop3 and smtp are still reachable from outside, and you ony want to restrict roundcube?
that makes zero sense and is not a security improvement at all, since roundcube only acts as mail client with webinterface and is nothing different than a mail client on a phone or pc