26 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to internally disable client pop3/imap/smtp for webmail only?

Thanks for your discussions and sharing, i decided to use Dominique's suggestion with some comment: https://bitbucket.org/zhb/iredmail/comm … 4189e94df0

AND ((mailbox.enable%Ls%Lc=1 AND '%r'<>'127.0.0.1') OR (mailbox.enablewebmail=1 AND '%r'='127.0.0.1' AND '%Ls%Lc'='imapsecured'))

Comment:

# (mailbox.enable%Ls%Lc=1 AND '%r'<>'127.0.0.1') means accessing mailbox via
#   IMAP or IMAP over TLS on non-localhost (127.0.0.1)
#
# (mailbox.enablewebmail=1 AND '%Ls%Lc'='imapsecured' AND '%r' IN ('127.0.0.1'))
#   means accessing webmail hosted on '127.0.0.1' via IMAP over TLS. If you
#   want to allow remote access from webmail hosted on other servers, please
#   extend the list and reload/restart Dovecot service.
#
#   WARNING: It's not recommended to access mailbox from webmail with insecure
#   IMAP protocol.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

27 Reply by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: How to internally disable client pop3/imap/smtp for webmail only?

ZhangHuangbin wrote:
AND ((mailbox.enable%Ls%Lc=1 AND '%r'<>'127.0.0.1') OR (mailbox.enablewebmail=1 AND '%r'='127.0.0.1' AND '%Ls%Lc'='imapsecured'))

I'm already a bit confused from the logic operations smile

Wouldn't this condition disable everything from localhost? There will be no way how to enable any service but the IMAPs (via the new enablewebmail option)...

I'm not sure, if it's good idea.

28 Reply by Dominique

  • Dominique
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 98

Re: How to internally disable client pop3/imap/smtp for webmail only?

ZhangHuangbin wrote:

# (mailbox.enable%Ls%Lc=1 AND '%r'<>'127.0.0.1') means accessing mailbox via
#   IMAP or IMAP over TLS on non-localhost (127.0.0.1)

actually, the first part of the query is for any protocol that is configured to be allowed... could also be pop3

camel1cz wrote:

Wouldn't this condition disable everything from localhost? There will be no way how to enable any service but the IMAPs (via the new enablewebmail option)...

not really... the second part of the query (after OR) allows connections from localhost only when enablewebmail=1 and the procotol is imapsecured... which is exactly what you expect... as that's the way RoundCube connects

and... are you implying that any connections from localhost other than imapsecured would be necessary?  for what purpose?  unless you start running other applications on your email server fetching emails over pop3 for example... not a good idea really... but if you need this for any reason you can of course change the query again... the way it is now is the most secure... making exceptions for this kind of (unlikely) things would only mean leaving open gaps for security breaches

29 Reply by camel1cz (edited by camel1cz 2014-03-02 03:54:18)

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: How to internally disable client pop3/imap/smtp for webmail only?

Don't play with words, buddy.

I say, it breaks servers using protocols other than IMAPs locally - it's a fact.
I say, there is no simple solution (simple = w/o need to modify complex configs, have advanced skills in administration) to get the same functionality after upgrade - it's a fact.

Based on this, my opinion is to either not do it like this or at least warn with big letters in upgrade instructions, possibly provide alternative.

Sure, it's good to keep security in mind, but you cannot break production systems (even poorly designed) in name of greater good!

P.S.
Please understand me correctly, my system is pure mailserver, I don't need to have mail services available on mailserver locally. I don't use it like this. I even don't need to block webmail for any of my users. I just try to improve this wonderful project as good as I can.

30 Reply by Dominique (edited by Dominique 2014-03-02 04:08:37)

  • Dominique
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 98

Re: How to internally disable client pop3/imap/smtp for webmail only?

camel1cz wrote:

but you cannot break production systems (even poorly designed) in name of greater good!

that is something I don't agree with... otherwise we can just chuck security in the bin... and allow all spam (as some spam fighting tactics are based on the need for properly configuring servers, like FQDN for HELO/EHLO or SPF records)

but hey, who am I to make those decisions... I only based my query on Zhang's suggestions

31 Reply by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: How to internally disable client pop3/imap/smtp for webmail only?

You cannot compare "allow all spam via wrong config" with "allow to run scripts/apps on mailserver locally"...

All I wanted is to explicitly name the implications to be sure, everyone knows it.

Sure, the decision is up to Zhang

32 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to internally disable client pop3/imap/smtp for webmail only?

My mistake, "(mailbox.enable%Ls%Lc=1 AND '%r'<>'127.0.0.1')" will disable IMAP/POP3/SMTP services from localhost, it's not right.
I revert commits for this feature, let's see whether we have a better solution with simpler SQL statement.

33 Reply by Dominique

  • Dominique
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 98

Re: How to internally disable client pop3/imap/smtp for webmail only?

ZhangHuangbin wrote:

My mistake, "(mailbox.enable%Ls%Lc=1 AND '%r'<>'127.0.0.1')" will disable IMAP/POP3/SMTP services from localhost, it's not right.
I revert commits for this feature, let's see whether we have a better solution with simpler SQL statement.

I based the query on your suggestion:

ZhangHuangbin wrote:

Do you guys think it's better to check whether it's imap protocol and secure connection?

I can write whatever you want in SQL but it seems like the requirements keep changing... glad to have been of help but I will refrain from trying to help from now on as I don't understand the needs of the product enough to counter varying opinions between contributors to this forum.

FYI:  no pun intended here!

34 Reply by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: How to internally disable client pop3/imap/smtp for webmail only?

I see only one good solution - add for all enableXXX flags also it's equivalent from localhost.
So eg. enableimapsecured will have it's twin enableimapsecuredlocal.

All this new flags should have default on = enabled.

The rights should work like this:

enableimapsecured = 0 AND enableimapsecuredlocal = 0

- IMAPs is disabled from everywhere for this account,

enableimapsecured = 1 AND enableimapsecuredlocal = 0

- IMAPs works from external IPs, NOT from localhost,

enableimapsecured = 0 AND enableimapsecuredlocal = 1

- IMAPs works only from localhost, not from external IPs,

enableimapsecured = 1 AND enableimapsecuredlocal = 1

- IMAPs works from everywhere.

The SQL query to implenet this should be like:

AND (
 (mailbox.enable%Ls%Lc=1 AND '%r'<>'127.0.0.1')
 OR
 (mailbox.enable%Ls%Lclocal=1 AND '%r'='127.0.0.1')
)

@ Zhang: it's up to you to decide, if you feel it useful and worth implementation.
disable/enable webmail will be then easy and just matter of explanation (what checkbox to thick), possibly in documentation.
Btw. we talk the whole time about IMAP secured, but isn't also SMTP required? (to send emails)

35 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to internally disable client pop3/imap/smtp for webmail only?

This feature won't be available in next release of iRedMail, not many users need this. i prefer to use simpler SQL statements and leave this addition feature to mail administrators who really need it. I believe you guys already provided helpful solution in this thread. I personally suggest we stop discussion here.