Skip to content

V2 Access Permissions

Jump to bottom Edit New page
Barry O'Donovan edited this page Feb 11, 2014 · 1 revision

Applies to ViMbAdmin v2 only! Deprecated in favour of ViMbAdmin v3.

You must configure your email services to make use of access restrictions. See below for implementation details.

Some administrators may want to control which services your users can access (smtp, pop3, imap). For example, you may wish to force your users to use either of POP3 or IMAP. For example:

  • force low value / non-critical / high-volume users to POP3 to save disk space;
  • force internal / high value customers to IMAP to ensure their mail remains on the server where it may be part of a corporate backup procedure.

The actual implementation of this is very much mail server dependent. I have implemented and tested on Dovecot 2 so far and would appreciate the equivalent documentation for other servers to add to this page.

Firstly, the default access restriction setting for all users is ALL which means that they can access all available services. You can configure which services are available in the application.ini file. The default is:

access_restriction_type.smtp = "SMTP"
access_restriction_type.imap = "IMAP"
access_restriction_type.pop3 = "POP3"

which will display checkboxes containing SMPT, IMAP, etc to the administrator and enter a comma separated list of the selected services into the access_restriction field of the mailbox table such as smtp,imap (meaning the user can access (authenticate for) smtp and imap but not pop3.

Implementing Access Restrictions on Dovecot 2

The access restrictions are implemented during user authentication with the SQL backend. A typical ViMbAdmin authentication configuration would be:

password_query = SELECT username as user, password as password FROM mailbox WHERE username = '%u' AND active = '1'

To add access restriction to this, add the following clause to the end of the above:

AND ( access_restriction = 'ALL' OR LOCATE( '%Ls', access_restriction ) > 0 )

The above will result in a valid authentication for a given service (%Ls is the service name in lower case and for Dovecot is typically smtp, imap or pop3) if the user has no access restrictions (ALL) or if the service under consideration is one of the user's allowed services.

You can also read the following Dovecot pages:

Add a custom footer
Add a custom sidebar
Clone this wiki locally