Restrictive access to some users
Hi, On our cyrus server some users need access from office as well as from outside our LAN. So we nat the imap port on our firewall and people are able to access But Contract employees need not access mails from outside the office. How can I allow access for such users only from the office Thanks Ram Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Restrictive access to some users
On Thu, Apr 26, 2007 at 12:14:13PM +0530, ram wrote: On our cyrus server some users need access from office as well as from outside our LAN. So we nat the imap port on our firewall and people are able to access But Contract employees need not access mails from outside the office. How can I allow access for such users only from the office Cyrus imapd doesn't have source ip filter feature, afaik and support only one authorization group (ldap_filter). With this reason you have to use some tric. You need to configure two access groups and two cyrus servers (with replication or murder configuration) and use different groups on this servers. Possible, some imap proxy can be configured for using second group. WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Restrictive access to some users
On Thu, Apr 26, 2007 at 12:07:20PM +0400, Dmitriy Kirhlarov wrote: On Thu, Apr 26, 2007 at 12:14:13PM +0530, ram wrote: On our cyrus server some users need access from office as well as from outside our LAN. So we nat the imap port on our firewall and people are able to access But Contract employees need not access mails from outside the office. How can I allow access for such users only from the office Cyrus imapd doesn't have source ip filter feature, afaik and support only one authorization group (ldap_filter). With this reason you have to use some tric. You need to configure two access groups and two cyrus servers (with replication or murder configuration) and use different groups on this servers. Possible, some imap proxy can be configured for using second group. O-ops.. :) cyrus.conf: ... SERVICES { public cmd=imapd -C /public.imapd.conf listen=public_ip:imap private cmd=imapd listen=private_ip:imap } WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Restrictive access to some users
Dmitriy Kirhlarov wrote: On Thu, Apr 26, 2007 at 12:07:20PM +0400, Dmitriy Kirhlarov wrote: On Thu, Apr 26, 2007 at 12:14:13PM +0530, ram wrote: On our cyrus server some users need access from office as well as from outside our LAN. So we nat the imap port on our firewall and people are able to access But Contract employees need not access mails from outside the office. How can I allow access for such users only from the office Cyrus imapd doesn't have source ip filter feature, afaik and support only one authorization group (ldap_filter). With this reason you have to use some tric. You need to configure two access groups and two cyrus servers (with replication or murder configuration) and use different groups on this servers. Possible, some imap proxy can be configured for using second group. O-ops.. :) cyrus.conf: ... SERVICES { public cmd=imapd -C /public.imapd.conf listen=public_ip:imap private cmd=imapd listen=private_ip:imap } That doesn't fix the problem because you can't say which user can log in on what interface. But you could maybe do it like this: two different imapd.confs. In one of them you use a different saslauthd (if you would be using this) socket. And run a second saslauthd with different config. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Rudy Gevaert [EMAIL PROTECTED] tel:+32 9 264 4734 Directie ICT, afd. Infrastructuur ICT Department, Infrastructure office Groep SystemenSystems group Universiteit Gent Ghent University Krijgslaan 281, gebouw S9, 9000 Gent, Belgie www.UGent.be -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Restrictive access to some users
On Thu, Apr 26, 2007 at 12:09:28PM +0200, Rudy Gevaert wrote: cyrus.conf: ... SERVICES { public cmd=imapd -C /public.imapd.conf listen=public_ip:imap private cmd=imapd listen=private_ip:imap } That doesn't fix the problem because you can't say which user can log in on what interface. But you could maybe do it like this: two different imapd.confs. In one of them you use a different Yes. I mean this. saslauthd (if you would be using this) socket. And run a second saslauthd with different config. Using ldap_group_* and ldap_member_* imapd.conf parameters more accurate, for me WBR. Dmitriy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html