This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
how_to:vpop3_access_security [2009/05/14 15:07] – created mike | how_to:vpop3_access_security [2018/11/14 10:45] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | =====How To Setup vPOP3 Service Security===== | + | ======How To Setup VPOP3 Service Security====== |
VPOP3 can be configured to restrict access to its various services depending on the client computer' | VPOP3 can be configured to restrict access to its various services depending on the client computer' | ||
Line 5: | Line 5: | ||
With some services you can also restrict access to certain users on those IP addresses. These are generally only those services which require some form of logon (eg POP3, WebMail etc) | With some services you can also restrict access to certain users on those IP addresses. These are generally only those services which require some form of logon (eg POP3, WebMail etc) | ||
- | To secure a service, go to the '' | + | To secure a service, go to the **Services** tab in VPOP3, and click on the service you want to secure. You should find in there a tab called |
- | * Optionally if the first character on the line is a ' | + | =====VPOP3 version 2.5 to 4.0===== |
- | * The first part of the line is the ' | + | In these versions, |
- | * The second part is the ' | + | |
- | * Following | + | |
- | This is best clarified with an example: | + | To edit a rule, you can click on the rule, to add a rule, click on the **Add New Rule** text, or to remove a rule click on the **X** or waste bin to the left of the rule. |
- | '' | + | When adding or editing a rule you can specify whether the rule applies to a single host, a subnet (specified in [[http:// |
- | ''192.168.0.0 255.255.0.0'' | + | If the service requires authentication, |
- | '' | + | If the service allows (but does not require) authentication (eg SMTP, LDAP), then there will also be a **no auth** checkbox which allows you to say that, from the specified IP addresses, authentication is not required, even if the settings normally require authentication. |
+ | |||
+ | ====Default for your LAN==== | ||
+ | The **Default for your LAN** button makes VPOP3 create a default set of rules which are likely to be OK for basic internal LAN usage scenarios | ||
+ | |||
+ | What it does is: | ||
+ | - create a **DENY** rule for any gateways (routers) | ||
+ | - create an **ALLOW** rule for each network which the VPOP3 computer is directly connected to | ||
+ | |||
+ | For more situations, this will create a set of rules such as: | ||
+ | * DENY 192.168.1.1 | ||
+ | * ALLOW 192.168.1.0/ | ||
+ | * ALLOW 127.0.0.0/8 (the loopback addresses) | ||
+ | |||
+ | If there are multiple network adapters (or multiple IP addresses bound to a single adapter), then there may be more entries. | ||
+ | |||
+ | The **Default for your LAN** button cannot automatically detect if you have multiple local networks connected by internal routers, but if you have that level of complexity of network topography, it should be relatively clear how you need to configure the access restrictions to do what you require. | ||
+ | |||
+ | |||
+ | (Note that VPOP3 detects the LAN configuration when starting up, so if the IP address/ | ||
+ | |||
+ | ===The default DENY rule for your router/ | ||
+ | The router is denied access by the default rules because: | ||
+ | * Routers are very unlikely to need to send outgoing mail, or collect mail using POP3 or IMAP4, themselves | ||
+ | * Some routers act as proxy servers, so that incoming connections appear to come from the router themselves. This means that if this **DENY** rule was omitted, the default rules would allow access from anywhere on the Internet (including making VPOP3 into an open relay) - this would be very undesirable as a default rule | ||
+ | * If the router's security is compromised, | ||
+ | |||
+ | Note that blocking access from the router does NOT block access from external IP addresses (so it will not conflict with **ALLOW** rules allowing access from outside), unless the router acts like a proxy server, rather than a normal router. | ||
+ | |||
+ | Usually there is no need to remove this rule. The only times you would need to do that are if you need the router to send outgoing mail or collect mail itself (which is very unusual), or if your router acts as a proxy server rather than a router (which is also very unusual). In the latter case, you will need to be very careful, and set up any access rules and anti-relay rules on the router itself. (You may need to change the router if you need external access and the router does not support this) | ||
+ | |||
+ | The deny rule does NOT (with the other default settings) prevent the router from sending internal email via VPOP3, e.g. for error reports or intrusion notifications. | ||
+ | |||
+ | (Note that, nowadays, it is very rare for routers to act like proxy servers, but it was more common several years ago. If in doubt, presume it does not act this way) | ||
+ | |||
+ | |||
+ | =====VPOP3 version 2.4 and earlier===== | ||
+ | In these versions, the access restrictions are defined as text controls. Each line defines an access restriction rule. The parts to that rule are as follows: | ||
+ | |||
+ | * Optionally if the first character on the line is a '!' (exclamation mark) it means do NOT allow access from the following IP addresses (you cannot specify user names in this case) | ||
+ | * The first part of the line is the ' | ||
+ | * The second part is the ' | ||
+ | * Following the ' | ||
+ | |||
+ | This is best clarified with an example: | ||
+ | |||
+ | !192.168.0.1 | ||
+ | 192.168.0.0 255.255.0.0 | ||
+ | | ||
This means: | This means: | ||
- | | + | |
- | * Allow access to the service from IP addresses 192.168.0.0-192.168.255.255 for anyone | + | * Allow access to the service from IP addresses 192.168.0.0-192.168.255.255 for anyone |
- | * Allow access to the service from any other IP address, but only for the ' | + | * Allow access to the service from any other IP address, but only for the ' |
Notes | Notes | ||
- | + | | |
- | | + | * For the SMTP service, if you have specified any SMTP authentication options, you can specify a ' |
- | * For the SMTP service, if you have specified any SMTP authentication options, you can specify a ' | + | * If you want to allow access from anywhere, use a line like '' |
- | * If you want to allow access from anywhere, use a line like '' | + | * The Access Restriction rules are processed from the top to bottom until an IP address match is found. So, in the above example, if the '' |
- | * The Access Restriction rules are processed from the top to bottom until an IP address match is found. So, in the above example, if the '' | + | |
On the service specific access restrictions, | On the service specific access restrictions, | ||
{{tag> security services}} | {{tag> security services}} |