VPOP3 can be configured to restrict access to its various services depending on the client computer's IP address. This is useful if you want to allow access from only certain IP addresses (eg within your LAN) and prevent access from other IP addresses (eg the Internet).

With some services you can also restrict access to certain users on those IP addresses. These are generally only those services which require some form of logon (eg POP3, WebMail etc)

To secure a service, go to the Services tab in VPOP3, and click on the service you want to secure. You should find in there a tab called IP Access Restrictions. In that box each line defines an access restriction rule.

In these versions, the access restrictions are defined using a helper editor. Each line defines an access restriction rule.

To edit a rule, you can click on the rule, to add a rule, click on the Add New Rule text, or to remove a rule click on the X or waste bin to the left of the rule.

When adding or editing a rule you can specify whether the rule applies to a single host, a subnet (specified in CIDR format, as <network address>/<mask>, eg 192.168.0.0/24) or all addresses. You can also specify whether the restriction block access (DENY) or allows access (ALLOW).

If the service requires authentication, then you can also specify which users can access it from these addresses (if you don't specify any users, then all users are allowed). Note that with SMTP, if the service is configured never to require authentication, then you cannot restrict by username, as VPOP3 can not know a username, unless authentication is used.

If the service allows (but does not require) authentication (eg SMTP, LDAP), then there will also be a no auth checkbox which allows you to say that, from the specified IP addresses, authentication is not required, even if the settings normally require authentication.

In these versions, the access restrictions are defined as text controls. Each line defines an access restriction rule. The parts to that rule are as follows:

• Optionally if the first character on the line is a '!' (exclamation mark) it means do NOT allow access from the following IP addresses (you cannot specify user names in this case)
• The first part of the line is the 'Network Address'.
• The second part is the 'Subnet Mask'. If the Network address specifies a single host, then you can omit this section as it will default to '255.255.255.255'
• Following the 'Subnet Mask' you can optionally specify one or more usernames to indicate which users can access the service from the specified IP addresses.

This is best clarified with an example:

!192.168.0.1
192.168.0.0 255.255.0.0
0.0.0.0 0.0.0.0 fred bob

This means:

• Don't allow access to the service from IP address 192.168.0.1
• Allow access to the service from IP addresses 192.168.0.0-192.168.255.255 for anyone
• Allow access to the service from any other IP address, but only for the 'fred' and 'bob' users

Notes

• If you don't have any access restrictions defined, then all access is allowed, if you do have some access restrictions defined, then any unspecified IP addresses are denied access
• For the SMTP service, if you have specified any SMTP authentication options, you can specify a 'username' of NOAUTH. This means that access from the specified IP addresses does not require authentication
• If you want to allow access from anywhere, use a line like 0.0.0.0 0.0.0.0 to mean 'allow access from anywhere'
• The Access Restriction rules are processed from the top to bottom until an IP address match is found. So, in the above example, if the 0.0.0.0 0.0.0.0 line was put at the start, the rest of the rules would be ignored because that first line would match all IP addresses.

On the service specific access restrictions, if the address is allowed, then VPOP3 will check the global access restrictions on the Services page, unless NOGLOBAL is specified in the service specific restrictions. So, if you are modifying service specific access restrictions it is probably best to add a line saying NOGLOBAL to prevent the global access restrictions from overriding the changes.