Table of Contents

How To Setup VPOP3 Service Security

VPOP3 can be configured to restrict access to its various services depending on the client computer's IP address. This is useful if you want to allow access from only certain IP addresses (eg within your LAN) and prevent access from other IP addresses (eg the Internet).

With some services you can also restrict access to certain users on those IP addresses. These are generally only those services which require some form of logon (eg POP3, WebMail etc)

To secure a service, go to the Services tab in VPOP3, and click on the service you want to secure. You should find in there a tab called IP Access Restrictions. In that box each line defines an access restriction rule.

VPOP3 version 2.5 to 4.0

In these versions, the access restrictions are defined using a helper editor. Each line defines an access restriction rule.

To edit a rule, you can click on the rule, to add a rule, click on the Add New Rule text, or to remove a rule click on the X or waste bin to the left of the rule.

When adding or editing a rule you can specify whether the rule applies to a single host, a subnet (specified in CIDR format, as <network address>/<mask>, eg 192.168.0.0/24) or all addresses. You can also specify whether the restriction blocks access (DENY) or allows access (ALLOW).

If the service requires authentication, then you can also specify which users can access it from these addresses (if you don't specify any users, then all users are allowed). Note that with SMTP, if the service is configured never to require authentication, then you cannot restrict by username, as VPOP3 can not know a username, unless authentication is used.

If the service allows (but does not require) authentication (eg SMTP, LDAP), then there will also be a no auth checkbox which allows you to say that, from the specified IP addresses, authentication is not required, even if the settings normally require authentication.

Default for your LAN

The Default for your LAN button makes VPOP3 create a default set of rules which are likely to be OK for basic internal LAN usage scenarios

What it does is:

  1. create a DENY rule for any gateways (routers)
  2. create an ALLOW rule for each network which the VPOP3 computer is directly connected to

For more situations, this will create a set of rules such as:

If there are multiple network adapters (or multiple IP addresses bound to a single adapter), then there may be more entries.

The Default for your LAN button cannot automatically detect if you have multiple local networks connected by internal routers, but if you have that level of complexity of network topography, it should be relatively clear how you need to configure the access restrictions to do what you require.

(Note that VPOP3 detects the LAN configuration when starting up, so if the IP address/network details are changed since VPOP3 started, it will configure the settings incorrectly using this button. This can especially be an issue if VPOP3 is connected via a wireless LAN.)

The default DENY rule for your router/gateway

The router is denied access by the default rules because:

Note that blocking access from the router does NOT block access from external IP addresses (so it will not conflict with ALLOW rules allowing access from outside), unless the router acts like a proxy server, rather than a normal router.

Usually there is no need to remove this rule. The only times you would need to do that are if you need the router to send outgoing mail or collect mail itself (which is very unusual), or if your router acts as a proxy server rather than a router (which is also very unusual). In the latter case, you will need to be very careful, and set up any access rules and anti-relay rules on the router itself. (You may need to change the router if you need external access and the router does not support this)

The deny rule does NOT (with the other default settings) prevent the router from sending internal email via VPOP3, e.g. for error reports or intrusion notifications.

(Note that, nowadays, it is very rare for routers to act like proxy servers, but it was more common several years ago. If in doubt, presume it does not act this way)

VPOP3 version 2.4 and earlier

In these versions, the access restrictions are defined as text controls. Each line defines an access restriction rule. The parts to that rule are as follows:

This is best clarified with an example:

!192.168.0.1
192.168.0.0 255.255.0.0
0.0.0.0 0.0.0.0 fred bob

This means:

Notes

On the service specific access restrictions, if the address is allowed, then VPOP3 will check the global access restrictions on the Services page, unless NOGLOBAL is specified in the service specific restrictions. So, if you are modifying service specific access restrictions it is probably best to add a line saying NOGLOBAL to prevent the global access restrictions from overriding the changes.