Limit IMAP access
-
Hello! Is there any way to limit access to IMAP, to ensure that only limited IPs (from the office) can fetch the e-mail?
Any approach would be fine, really
-
@potemkin_ai We don't have a way to do this out of the box but I am looking into various security stuff for the coming release 6.3 and hope to have an answer soon. I will move this to feature requests.
-
@girish got it, thank you! Any time estimate for 6.3?
-
@potemkin_ai There's another pit stop before 6.3. Please see this post for more details: https://forum.cloudron.io/topic/4721/cloudron-6-2-released/12
-
@potemkin_ai We will have a better idea later this week or early next week for sure. I will post an update in the 6.3 thread - https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3
-
@girish thank you, subscribed. Desperately looking forward for the mail access restriction in 6.3, wish you a nice smooth release!
-
@girish any updates here?
-
@potemkin_ai Can you not block this currently in your cloud firewall? If you are hosting in the Cloud, pretty much all cloud providers have a way to block port 993 at IP level.
-
@girish yep, we discussed that
I can't, unfortunately, not all of the cloud providers have that covered... -
@potemkin_ai ah, i see. I think developing a firewall to block specific ports+IP will have to wait for a future release. Atleast, not in the coming one.
-
@girish I'm not looking for a custom firewall rules, but an IMAP server level allowed IP range. That't usually a thing in most of the modern servers, isn't it the case here?
-
@potemkin_ai that seems more doable. Will look into it.
-
@potemkin_ai said in Limit IMAP access:
That't usually a thing in most of the modern servers, isn't it the case here?
Do you have an example for this claim?
-
@girish thank you!!
-
@fbartels nginx, apache, ssh, etc?
-
@potemkin_ai said in Limit IMAP access:
nginx, apache, ssh, etc?
But these are not imap/mail servers. For webservers it kind of makes sense, since most website do not require authentication and you may want to host something that is only available "internally". ssh I can understand as well, allow some users access from the internet, but others (that have elevated privileges) only from known location.
Personally this just feels like a strange feature to me (in regards to a mail server). If you are afraid of password security, then there is a push towards "modern authentication" in the industry in the last years, this then uses tokens for login instead of passwords and the way to retrieve the initial token for the client could be locked behind 2fa for example.
To be fair there seems to be a feature around this in Dovecot:
https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets -
@fbartels I'm not exactly afraid of something; but limiting the IPs allowed to collect mail from is a valid business requirement for a cloud office.
-
@potemkin_ai believe it or not. My daytime job is building a "mail server" and I have not heard a single customer come up with such a requirement. Therefore I was curious of your intentions.
For us customers either put their system directly accessible to the internet, or if that is not desired make it only accessible over vpn. (with stuff like 2fa, or ssl client certificates for web access, but imap is quite backwards in that sense).
It also does not look like "client access rules" for Exchange Online cover imap connections: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules
-
@fbartels I do believe you.
