1

Topic: Allow login to Dovecot/Roundcube only from specific ip address/network

============ Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (MySQL):
- Linux/BSD distribution name and version: CentOS 7
- Related log if you're reporting an issue:
====

Hi all,
I just want to share with you what to do to allow specific users to login in Dovecot IMAP and Roundcube Webmail only from a specific ip address or network.

First of all we add a new field on the mailbox table to manage the IP address/network of the user client.
Dovecot allow connection from the remote IP in the extra-field "allow_nets", so i just added a field with that name.
Please refer to this page for more informations: http://wiki2.dovecot.org/PasswordDataba … /AllowNets

Here is the sql command on vmail db: (depends on your need you can change the lenght of this field)

ALTER TABLE `mailbox` ADD `allow_nets` VARCHAR(18) NULL DEFAULT NULL ;

Second we need to modify the password_query sql in /etc/dovecot/dovecot-mysql.conf so we can check the new field like this:

password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'

At this point we can specify an ip address or a network in the "allow_nets" field and Dovecot will check for it.
Please note that NULL value will allow login from any ip address.

In iRedMail environment, Dovecot receive connections from the webserver IP address as remote IP ("rip:" in the dovecot.log) when a user login from Roundcube Webmail.

If we want to check the user client IP address we need to enable a plugin in Roundcube that identify users with their client IP address and override the webserver IP address when connecting to Dovecot.

To do this we need to download the plugin "dovecot-ident" for Roundcube, unzip the content to Roundcube plugins folder as follow.

# wget https://github.com/corbosman/dovecot_id … master.zip
# unzip master.zip -d /var/www/roundcubemail/plugins/
# mv /var/www/roundcubemail/plugins/dovecot_ident-master /var/www/roundcubemail/plugins/dovecot_ident

Now edit /var/www/roundcubemail/config/config.inc.php to enable the plugin:

// PLUGINS
$config['plugins'] = array('managesieve', 'password', 'dovecot_ident');

Last, we need to allow the webserver IP to override the remote IP address when attempting to login in Dovecot via Roundcube.
Add this line to /etc/dovecot/dovecot.conf

login_trusted_networks = 127.0.0.1

Finish! I hope this will be usefull for the iRedMail community.

PS: Since the new field is not present in iRedMail release I think someone can provide a better solution to integrate the "allow_nets" field in a separated table to preserve it after iRedMail major updates.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

Thanks for sharing. Maybe we can add this new field in next iRedMail release, and i think it's better to use TEXT column type instead of VARCHAR, so that we can add more IPs.

According to Dovecot document: http://wiki2.dovecot.org/SSL/DovecotConfiguration

Note that plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they're assumed to be secure anyway. This applies to all connections where the local and the remote IP addresses are equal. Also IP ranges specified by login_trusted_networks setting are assumed to be secure.

Looks like 'login_trusted_networks = 127.0.0.1' in dovecot.conf is not necessary?

Also, this is a per-user setting, right? do you have a per-domain solution?

3

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

Hi,
Yes you are right about the column datatype, that's way better than what i chose for different needs.
It would be great if you add the new field in next releases.

I've tested it without login_trusted_networks setted up but the roundcube plugin/webserver is not able to rewrite the ip when attempting to login to Dovecot (in dovecot logs i still see rip:127.0.0.1 when i login via Roundcube ) so i believe it is necessary.
I think login_trusted_networks it's being used by Dovecot in many ways.
Check this out: http://wiki.dovecot.org/MainConfig

login_trusted_networks =
Space separated list of trusted network ranges. Connections from these IPs are allowed to override their IP addresses and ports (for logging and for authentication checks). disable_plaintext_auth is also ignored for these networks. Typically you'd specify your IMAP proxy servers here.

Since the Dovecot passdb is a per-user login command i think the best solution to manage it per domain, considering an integration with iRedAdmin, could be to add some php functions to rewrite the allow_nets field on 2 levels: per-user, updating allow_nets field by email address on mailbox table, and per-domain, updating the field on each mail address with @specifc-vdomain to manage.

4

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

GMF wrote:

Since the Dovecot passdb is a per-user login command i think the best solution to manage it per domain, considering an integration with iRedAdmin, could be to add some php functions to rewrite the allow_nets field on 2 levels: per-user, updating allow_nets field by email address on mailbox table, and per-domain, updating the field on each mail address with @specifc-vdomain to manage.

What if you want to restrict most users in a allowed net, but allow some users from any IP address? I think this is a common situation.

Although this can be implemented by setting per-domain restriction first - it will update all per-user settings, then you set restriction for certain users to allow from any ip address. but if you update per-domain setting next time, you have to update settings for certain users again. So, not an idea solution.

5 (edited by GMF 2015-03-04 19:03:35)

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

If you are planning to integrate this function in iRedAdmin panel you could use a support table (e.g. network_restrictions) to write down the restriction rules per-domain and per-user so you can apply it with the correct hierarchy of check to update allow_nets field in the mailbox table everytime the admin makes an ip/net restriction change on the panel.

I think this could be a way.
The new table network_restrictions could have 3 columns:
1) restriction_type: per-user / per-domain
2) restriction_value: email / domain
3) restriction_net: the ip or network to allow
(also a 4° field could be useful to manage the period of validity or expiration date of the restriction)

With this support table, in your example, when the admin update the restriction_net for a restriction_type=domain on the iRedAdmin panel, before you update the allow_net field on mailbox table you can exclude each email address for that domain present in the network_restrictions table checking columns restriction_value where restriction_type= per-user and restriction_value= %@thatdomain

Just an idea, I'm not very expert with php and sql but this should not be difficult to be done

6

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

I prefer not to integrate this feature in next iRedMail release since not many people need this feature, and we don't have a ideal solution yet.

Again, thanks for your sharing. smile

7

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

UPDATE:

I implemented this (allow_nets) in iRedMail:
https://bitbucket.org/zhb/iredmail/comm … 66cfd11f96

With next release of iRedMail, you can list allowed IP addresses and/or networks in LDAP attribute 'allowNets', or SQL column 'mailbox.allow_nets'. Multiple IPs/Nets must be separated by comma.

8

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

ZhangHuangbin wrote:

UPDATE:

I implemented this (allow_nets) in iRedMail:
https://bitbucket.org/zhb/iredmail/comm … 66cfd11f96.

After apply patch

Mar 25 10:16:07 mail postfix/smtpd[1159]: lost connection after AUTH from ib.domain[192.168.1.5]

Because allow_nets is empty (allow_nets TEXT NOT NULL DEFAULT '').

9

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

avenger_msoft wrote:

Because allow_nets is empty (allow_nets TEXT NOT NULL DEFAULT '').

Thanks for feedback, it works for me with 'DEFAULT NULL':

mysql> ALTER TABLE mailbox DROP COLUMN allow_nets;
mysql> ALTER TABLE mailbox ADD COLUMN allow_nets TEXT DEFAULT NULL;

10

Re: Allow login to Dovecot/Roundcube only from specific ip address/network

ZhangHuangbin wrote:
avenger_msoft wrote:

Because allow_nets is empty (allow_nets TEXT NOT NULL DEFAULT '').

Thanks for feedback, it works for me with 'DEFAULT NULL':

mysql> ALTER TABLE mailbox DROP COLUMN allow_nets;
mysql> ALTER TABLE mailbox ADD COLUMN allow_nets TEXT DEFAULT NULL;

Yes, it works