Re: Restrict access to a single client device
On 02/01/2013 01:20 AM, Dale J Chatham wrote: You use SMTP authentication through postfix or sendmail. Google [ mail authentication relay ] and you should find lots of howtos. I'm setting it up to use a sasldb to authenticate external users in order to keep them apart from UNIX users. Be very certain that you use STARTTLS or some form of authentication for email. Also, if you're allowing internet access to e-mail, you'll want to use imaps or https. The idea is that end users configure their email on Desktop, Laptop , Phone , tablet, Ipad ... ( The list is getting longer every day ) So copies of the mail are floating everywhere. This raises a security concern I cant block access totally from outside. Employees should be allowed access from outside office , but only from the designated Laptop. One way would be to ask everyone to VPN to the office for mails , Is there anyway else. Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
Ram schrieb (01.02.2013 10:01 Uhr): On 02/01/2013 01:20 AM, Dale J Chatham wrote: You use SMTP authentication through postfix or sendmail. Google [ mail authentication relay ] and you should find lots of howtos. I'm setting it up to use a sasldb to authenticate external users in order to keep them apart from UNIX users. Be very certain that you use STARTTLS or some form of authentication for email. Also, if you're allowing internet access to e-mail, you'll want to use imaps or https. The idea is that end users configure their email on Desktop, Laptop , Phone , tablet, Ipad ... ( The list is getting longer every day ) So copies of the mail are floating everywhere. This raises a security concern I cant block access totally from outside. Employees should be allowed access from outside office , but only from the designated Laptop. One way would be to ask everyone to VPN to the office for mails , Is there anyway else. TLS client authentication with certificates? Marc Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
On Fri, 2013-02-01 at 14:31 +0530, Ram wrote: On 02/01/2013 01:20 AM, Dale J Chatham wrote: You use SMTP authentication through postfix or sendmail. Google [ mail authentication relay ] and you should find lots of howtos. I'm setting it up to use a sasldb to authenticate external users in order to keep them apart from UNIX users. Be very certain that you use STARTTLS or some form of authentication for email. Also, if you're allowing internet access to e-mail, you'll want to use imaps or https. The idea is that end users configure their email on Desktop, Laptop , Phone , tablet, Ipad ... ( The list is getting longer every day ) Yes. So copies of the mail are floating everywhere. This raises a security concern I cant block access totally from outside. Employees should be allowed access from outside office , but only from the designated Laptop. One way would be to ask everyone to VPN to the office for mails , Is there anyway else. This really sounds like a solution for PKI. Issue a certificate to the device and demand that the device and the server *mutually* agree based on that [currently the client device has to recognize the server's certificate]. This means you (a) have to manage certificates and (b) the client device / application has to be able to perform PKI. I believe (b) is true in most cases. I'm currently also trying to figure this out. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
You can restrict by user. You can restrict by IP. You can restrict by SSL credentials (either VPN or certificates with mail). You cannot restrict by a MAC address, or at least off the top of my head I can't come up with one. Unless they need access to the network from outside, I strongly advise against VPN access. It gives too much access to too much unless they need it. SSL certs are probably the best way to go, but even then there is nothing to keep them from copying the cert to another machine and using it. I'm not sure why you want to restrict access to one machine/user pair rather than just one user. On 02/01/2013 03:01 AM, Ram wrote: On 02/01/2013 01:20 AM, Dale J Chatham wrote: You use SMTP authentication through postfix or sendmail. Google [ mail authentication relay ] and you should find lots of howtos. I'm setting it up to use a sasldb to authenticate external users in order to keep them apart from UNIX users. Be very certain that you use STARTTLS or some form of authentication for email. Also, if you're allowing internet access to e-mail, you'll want to use imaps or https. The idea is that end users configure their email on Desktop, Laptop , Phone , tablet, Ipad ... ( The list is getting longer every day ) So copies of the mail are floating everywhere. This raises a security concern I cant block access totally from outside. Employees should be allowed access from outside office , but only from the designated Laptop. One way would be to ask everyone to VPN to the office for mails , Is there anyway else. Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- There is a greater darkness than the one we fight. It is the darkness of the soul that has lost its way. The war we fight is not against powers and principalities, it is against chaos and despair. Greater than the death of flesh is the death of hope, the death of dreams. Against this peril we can never surrender. The future is all around us, waiting in moments of transition, to be born in moments of revelation. No one knows the shape of that future, or where it will take us. We know only that it is always born in pain. G'Kar Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
If you can't predict the IP, I am not aware of a way to do what you want. Try using authentication to verify the user, not the device. On 01/31/2013 12:22 AM, Ram wrote: On 01/30/2013 08:11 PM, Dale J Chatham wrote: If a Linux box, best place is likely /etc/hosts.deny http://linux.about.com/od/commands/l/blcmdl5_hostsde.htm Sorry, I should have mentioned that the IP address of the device may change For eg, If I want to restrict access to a single LAPTOP, wether the employee uses it from home or from office it should work But not from anywhere else On 01/30/2013 08:29 AM, Ram wrote: Can I restrict access to my imap servers from a single device only The server is not on the same LAN , So I cannot do a mac-binding Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- There is a greater darkness than the one we fight. It is the darkness of the soul that has lost its way. The war we fight is not against powers and principalities, it is against chaos and despair. Greater than the death of flesh is the death of hope, the death of dreams. Against this peril we can never surrender. The future is all around us, waiting in moments of transition, to be born in moments of revelation. No one knows the shape of that future, or where it will take us. We know only that it is always born in pain. G'Kar Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
I would like to see this too. Sometimes the user is less trustworthy than the device. Not that I have any ideas on how to do this, but I maybe locking the client id to the user id. Mike On 01/31/2013 07:56 AM, Dale J Chatham wrote: If you can't predict the IP, I am not aware of a way to do what you want. Try using authentication to verify the user, not the device. On 01/31/2013 12:22 AM, Ram wrote: On 01/30/2013 08:11 PM, Dale J Chatham wrote: If a Linux box, best place is likely /etc/hosts.deny http://linux.about.com/od/commands/l/blcmdl5_hostsde.htm Sorry, I should have mentioned that the IP address of the device may change For eg, If I want to restrict access to a single LAPTOP, wether the employee uses it from home or from office it should work But not from anywhere else On 01/30/2013 08:29 AM, Ram wrote: Can I restrict access to my imap servers from a single device only The server is not on the same LAN , So I cannot do a mac-binding Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Michael D. Sofka sof...@rpi.edu CMT Sr. Systems Programmer, Email, HPC, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
You use SMTP authentication through postfix or sendmail. Google [ mail authentication relay ] and you should find lots of howtos. I'm setting it up to use a sasldb to authenticate external users in order to keep them apart from UNIX users. Be very certain that you use STARTTLS or some form of authentication for email. Also, if you're allowing internet access to e-mail, you'll want to use imaps or https. On 01/31/2013 01:04 PM, Michael D. Sofka wrote: I would like to see this too. Sometimes the user is less trustworthy than the device. Not that I have any ideas on how to do this, but I maybe locking the client id to the user id. Mike On 01/31/2013 07:56 AM, Dale J Chatham wrote: If you can't predict the IP, I am not aware of a way to do what you want. Try using authentication to verify the user, not the device. On 01/31/2013 12:22 AM, Ram wrote: On 01/30/2013 08:11 PM, Dale J Chatham wrote: If a Linux box, best place is likely /etc/hosts.deny http://linux.about.com/od/commands/l/blcmdl5_hostsde.htm Sorry, I should have mentioned that the IP address of the device may change For eg, If I want to restrict access to a single LAPTOP, wether the employee uses it from home or from office it should work But not from anywhere else On 01/30/2013 08:29 AM, Ram wrote: Can I restrict access to my imap servers from a single device only The server is not on the same LAN , So I cannot do a mac-binding Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- There is a greater darkness than the one we fight. It is the darkness of the soul that has lost its way. The war we fight is not against powers and principalities, it is against chaos and despair. Greater than the death of flesh is the death of hope, the death of dreams. Against this peril we can never surrender. The future is all around us, waiting in moments of transition, to be born in moments of revelation. No one knows the shape of that future, or where it will take us. We know only that it is always born in pain. G'Kar Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
If a Linux box, best place is likely /etc/hosts.deny http://linux.about.com/od/commands/l/blcmdl5_hostsde.htm On 01/30/2013 08:29 AM, Ram wrote: Can I restrict access to my imap servers from a single device only The server is not on the same LAN , So I cannot do a mac-binding Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- There is a greater darkness than the one we fight. It is the darkness of the soul that has lost its way. The war we fight is not against powers and principalities, it is against chaos and despair. Greater than the death of flesh is the death of hope, the death of dreams. Against this peril we can never surrender. The future is all around us, waiting in moments of transition, to be born in moments of revelation. No one knows the shape of that future, or where it will take us. We know only that it is always born in pain. G'Kar Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Restrict access to a single client device
On 01/30/2013 08:11 PM, Dale J Chatham wrote: If a Linux box, best place is likely /etc/hosts.deny http://linux.about.com/od/commands/l/blcmdl5_hostsde.htm Sorry, I should have mentioned that the IP address of the device may change For eg, If I want to restrict access to a single LAPTOP, wether the employee uses it from home or from office it should work But not from anywhere else On 01/30/2013 08:29 AM, Ram wrote: Can I restrict access to my imap servers from a single device only The server is not on the same LAN , So I cannot do a mac-binding Thanks Ram Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus