Restrict mail user to login from specified IP addresses or networks

Attention

Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.

Since iRedMail-0.9.1, it's able to restrict mail users to login from specified IP addresses or networks.

Allowed IP/networks must be separated by comma. If the user tries to log in elsewhere, the authentication will fail the same way as if a wrong password was given.

Below sample usage shows how to restrict mail user user@domaim.com to login from only IP address 172.16.244.1 or network 192.168.1.0/24.

Warning

If webmail is running on same server, and you want to allow user to login from webmail, please allow IP 127.0.0.1 too.

Manage with iRedAdmin-Pro

With iRedAdmin-Pro, please go to user profile page, click tab Advanced, you will find setting Restrict to login from specified addresses like below:

Manage with SQL command line for SQL backends

sql> USE vmail;
sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com';

To remove this restriction (allow to login from anywhere), just set value of SQL column mailbox.allow_nets to NULL. WARNING: It must be NULL, not empty string.

Manage with LDAP command line for LDAP backends

To allow user user@domain.com to login from IP 172.16.244.1 and network 192.168.1.0/24, please add new attribute allowNets to this user:

allowNets: 192.168.1.10,192.168.1.0/24

To remove this restriction, just remove attribute allowNets for this user.

References

All documents are available in GitHub repository, and published under Creative Commons license. You can download the latest version for offline reading. If you found something wrong, please do contact us to fix it.