Restrictive access to some users

2007-04-26 Thread ram 
Hi,

On our cyrus server some users need access from office as well as from
outside our LAN. So we nat the imap port on our firewall and people are
able to access 

But Contract employees need not access mails from outside the office.
How can I allow access for such users only from the office


Thanks
Ram


Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Restrictive access to some users

2007-04-26 Thread Dmitriy Kirhlarov 
On Thu, Apr 26, 2007 at 12:14:13PM +0530, ram wrote:

 On our cyrus server some users need access from office as well as from
 outside our LAN. So we nat the imap port on our firewall and people are
 able to access 
 
 But Contract employees need not access mails from outside the office.
 How can I allow access for such users only from the office

Cyrus imapd doesn't have source ip filter feature, afaik and support
only one authorization group (ldap_filter).
With this reason you have to use some tric.

You need to configure two access groups and two cyrus servers (with
replication or murder configuration) and use different groups on this
servers.
Possible, some imap proxy can be configured for using second group.

WBR.
Dmitriy

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Restrictive access to some users

2007-04-26 Thread Dmitriy Kirhlarov 
On Thu, Apr 26, 2007 at 12:07:20PM +0400, Dmitriy Kirhlarov wrote:
 On Thu, Apr 26, 2007 at 12:14:13PM +0530, ram wrote:
 
  On our cyrus server some users need access from office as well as from
  outside our LAN. So we nat the imap port on our firewall and people are
  able to access 
  
  But Contract employees need not access mails from outside the office.
  How can I allow access for such users only from the office
 
 Cyrus imapd doesn't have source ip filter feature, afaik and support
 only one authorization group (ldap_filter).
 With this reason you have to use some tric.
 
 You need to configure two access groups and two cyrus servers (with
 replication or murder configuration) and use different groups on this
 servers.
 Possible, some imap proxy can be configured for using second group.

O-ops.. :)

cyrus.conf:
...
SERVICES {
public  cmd=imapd -C /public.imapd.conf   listen=public_ip:imap
private cmd=imapd   listen=private_ip:imap
}

WBR.
Dmitriy

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Restrictive access to some users

2007-04-26 Thread Rudy Gevaert 

Dmitriy Kirhlarov wrote:

On Thu, Apr 26, 2007 at 12:07:20PM +0400, Dmitriy Kirhlarov wrote:

On Thu, Apr 26, 2007 at 12:14:13PM +0530, ram wrote:


On our cyrus server some users need access from office as well as from
outside our LAN. So we nat the imap port on our firewall and people are
able to access 


But Contract employees need not access mails from outside the office.
How can I allow access for such users only from the office

Cyrus imapd doesn't have source ip filter feature, afaik and support
only one authorization group (ldap_filter).
With this reason you have to use some tric.

You need to configure two access groups and two cyrus servers (with
replication or murder configuration) and use different groups on this
servers.
Possible, some imap proxy can be configured for using second group.


O-ops.. :)

cyrus.conf:
...
SERVICES {
public  cmd=imapd -C /public.imapd.conf listen=public_ip:imap
private cmd=imapd   listen=private_ip:imap
}


That doesn't fix the problem because you can't say which user can log in 
 on what interface.


But you could maybe do it like this:

two different imapd.confs.  In one of them you use a different saslauthd 
(if you would be using this) socket.  And run a second saslauthd with 
different config.


--
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Rudy Gevaert  [EMAIL PROTECTED]  tel:+32 9 264 4734
Directie ICT, afd. Infrastructuur ICT Department, Infrastructure office
Groep SystemenSystems group
Universiteit Gent Ghent University
Krijgslaan 281, gebouw S9, 9000 Gent, Belgie   www.UGent.be
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Restrictive access to some users

2007-04-26 Thread Dmitriy Kirhlarov 
On Thu, Apr 26, 2007 at 12:09:28PM +0200, Rudy Gevaert wrote:

 cyrus.conf:
 ...
 SERVICES {
 public   cmd=imapd -C /public.imapd.conf   
 listen=public_ip:imap
 private  cmd=imapd   
 listen=private_ip:imap
 }
 
 That doesn't fix the problem because you can't say which user can log in  on 
 what 
 interface.
 
 But you could maybe do it like this:
 
 two different imapd.confs.  In one of them you use a different

Yes. I mean this.

 saslauthd (if you would be using this) socket.  And run a second
 saslauthd with different config.

Using ldap_group_* and ldap_member_* imapd.conf parameters more
accurate, for me

WBR.
Dmitriy

Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html