From 226a7df463cb4f33f89903cb6e80e93b4d9aac83 Mon Sep 17 00:00:00 2001 From: Zhang Huangbin Date: Tue, 7 Apr 2015 20:13:48 +0800 Subject: [PATCH] New: howto/restrict.mail.user.to.login.from.specified.ip.or.networks.md. --- TODO.md | 2 - ....to.login.from.specified.ip.or.networks.md | 36 +++++++++++++ html/index.html | 1 + ...o.login.from.specified.ip.or.networks.html | 51 +++++++++++++++++++ html/upgrade.iredmail.0.9.0-0.9.1.html | 4 +- upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md | 4 +- 6 files changed, 92 insertions(+), 6 deletions(-) create mode 100644 howto/restrict.mail.user.to.login.from.specified.ip.or.networks.md create mode 100644 html/restrict.mail.user.to.login.from.specified.ip.or.networks.html diff --git a/TODO.md b/TODO.md index 7ca62842..ef4833c8 100644 --- a/TODO.md +++ b/TODO.md @@ -1,7 +1,5 @@ # TODO -https://bitbucket.org/zhb/iredmail/commits/b721a9c376f67a4a11b4b1761386a266cfd11f96 - * How to install and configure SOGo groupware * How to install and configure Nginx * How to custom SpamAssassin scores diff --git a/howto/restrict.mail.user.to.login.from.specified.ip.or.networks.md b/howto/restrict.mail.user.to.login.from.specified.ip.or.networks.md new file mode 100644 index 00000000..abd3113a --- /dev/null +++ b/howto/restrict.mail.user.to.login.from.specified.ip.or.networks.md @@ -0,0 +1,36 @@ +# Restrict mail user to login from specified IP addresses or networks + +Since iRedMail-0.9.1, it's able to restrict mail users to login from specified +IP addresses or networks. + +Below sample usage shows how to restrict mail user `user@domaim.com` to login +from only IP address `172.16.244.1` or network `192.168.1.0/24`. + +## SQL backends + +``` +sql> USE vmail; +sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com'; +``` + +To remove this restriction (allow to login from anywhere), just set +value of SQL column `mailbox.allow_nets` to NULL. WARNING: It must be NULL, +not empty string. + +## How to restrict with OpenLDAP backend + +To allow user `user@domain.com` to login from IP `172.16.244.1` and network +`192.168.1.0/24`, please add new attribute `allowNets` to this user: + +``` +allowNets: 192.168.1.10,192.168.1.0/24 +``` + +To remove this restriction, just remove attribute `allowNets` for this user. + +# References + +* This feature is implemented in iRedMail-0.9.1, and mentioned in iRedMail + [upgrade tutorial for iRedMail-0.9.0](./upgrade.iredmail.0.9.0-0.9.1.html] + +* Dovecot document: [AllowNets](http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets) diff --git a/html/index.html b/html/index.html index 3a3365fd..dddbedb2 100644 --- a/html/index.html +++ b/html/index.html @@ -72,6 +72,7 @@
  • Pipe incoming email for certain user to external script
  • Force Dovecot to recalculate mailbox quota
  • Reset user password
    • +
  • Restrict mail user to login from specified IP addresses or networks
  • Send out email from specified IP address
  • SQL: Add domain catch-all account
  • SQL: Add a mail alias account
    • diff --git a/html/restrict.mail.user.to.login.from.specified.ip.or.networks.html b/html/restrict.mail.user.to.login.from.specified.ip.or.networks.html new file mode 100644 index 00000000..84e54e54 --- /dev/null +++ b/html/restrict.mail.user.to.login.from.specified.ip.or.networks.html @@ -0,0 +1,51 @@ + + + + Restrict mail user to login from specified IP addresses or networks + + + + +

    Restrict mail user to login from specified IP addresses or networks

    +

    Since iRedMail-0.9.1, it's able to restrict mail users to login from specified +IP addresses or networks.

    +

    Below sample usage shows how to restrict mail user user@domaim.com to login +from only IP address 172.16.244.1 or network 192.168.1.0/24.

    +

    SQL backends

    +
    sql> USE vmail;
+sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com';
+
    + +

    To remove this restriction (allow to login from anywhere), just set +value of SQL column mailbox.allow_nets to NULL. WARNING: It must be NULL, +not empty string.

    +

    How to restrict with OpenLDAP backend

    +

    To allow user user@domain.com to login from IP 172.16.244.1 and network +192.168.1.0/24, please add new attribute allowNets to this user:

    +
    allowNets: 192.168.1.10,192.168.1.0/24
+
    + +

    To remove this restriction, just remove attribute allowNets for this user.

    +

    References

    +

    Document published under a CC BY-ND 3.0 license. If you found something wrong, please do contact us to fix it. + \ No newline at end of file diff --git a/html/upgrade.iredmail.0.9.0-0.9.1.html b/html/upgrade.iredmail.0.9.0-0.9.1.html index 51787180..e4711141 100644 --- a/html/upgrade.iredmail.0.9.0-0.9.1.html +++ b/html/upgrade.iredmail.0.9.0-0.9.1.html @@ -457,7 +457,7 @@ mysql> ALTER TABLE mailbox ADD COLUMN `allow_nets` TEXT DEFAULT NULL;

    Sample usage: allow user user@domain.com to login from IP 172.16.244.1 and network 192.168.1.0/24:

    sql> USE vmail;
-sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24';
+sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com`;

    To remove this restriction, just set mailbox.allow_nets to NULL, not empty string.

    @@ -554,7 +554,7 @@ sql> ALTER TABLE mailbox ADD COLUMN allow_nets TEXT DEFAULT NULL;

    Sample usage: allow user user@domain.com to login from IP 172.16.244.1 and network 192.168.1.0/24:

    sql> \c vmail;
-sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24';
+sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com`;

    To remove this restriction, just set mailbox.allow_nets to NULL, not empty string.

    diff --git a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md index 7288a45d..e9e3b212 100644 --- a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md +++ b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md @@ -469,7 +469,7 @@ network `192.168.1.0/24`: ``` sql> USE vmail; -sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24'; +sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com`; ``` To remove this restriction, just set `mailbox.allow_nets` to `NULL`, not empty string. @@ -588,7 +588,7 @@ network `192.168.1.0/24`: ``` sql> \c vmail; -sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24'; +sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com`; ``` To remove this restriction, just set `mailbox.allow_nets` to `NULL`, not empty string.