Author Topic: How to restrict SMTP client IP address in Roundcube  (Read 4301 times)

Offline andreyakub

  • Newbie
  • *
  • Posts: 1
How to restrict SMTP client IP address in Roundcube
« on: February 02, 2015, 04:47:25 AM »
I set up an internal email server for our company. This setup includes postfix + dovecot (for both IMAP/POP3 access and authentication) + MySQL + Postfixadmin. I also setup Roundcube webmail on the same server to let users access their mailboxes by web. Users access their accounts either by Roundcube or by desktop client applications such as MS Outlook or Mozilla Thunderbird.
Both SMTP and IMAP/POP3 authentication is done by Dovecot.  Each user is allowed to authenticate only from his/her specific IP address/IP range. I use allow_nets option in Dovecot to define allowed IP ranges for each user. Here is my password query in Dovecot configuration file.

password_query = SELECT username AS user,password, rip AS allow_nets, \
      CONCAT('/home/vmail/mailbox/', maildir) AS userdb_home, 502 AS userdb_uid, 502 AS userdb_gid \
      FROM mailbox \
      WHERE username = '%u' AND active='1'


Here is "rip" field value for a sample user:
rip='10.1.10.1'.
This lets the user to login only form 10.1.10.1 IP address.

This configuration setup works fine when users use desktop client applications such as MS Outlook to access their email accounts from their own IP address. Problem starts when a user wants to use Roundcube webmail since he/she accesses the account using Roundcube IP address which is '127.0.0.1' and not user’s IP address. If I add '127.0.0.1' to allow_nets, IP restriction is meaningless any more since everybody can access any account through Roundcube from any IP address.
I googled for a solution and I found dovecot-ident plugin (https://github.com/corbosman/ident) for Roundube which adds x-originating-ip to IMAP ID. I added this plugin to my Roundcube. Now Roundcube authenticates IMAP using user's real IP and not localhost IP. So, a user can login and access his/her account.
Here is a log entry for IMAP login:

Feb  1 09:21:44 mailserver dovecot: imap-login: Login: user=<mike@example.net>, method=PLAIN, rip=10.1.10.1, lip=127.0.0.1, mpid=11342, secured


Now problem exists in sending emails. dovecot-ident plugin is not working for SMTP authentication. It works only for IMAP authentication. SMTP authentication still uses Roundcube IP to authenticate.
Here is a log entry for SMTP login:

Feb  2 09:39:09 mailserver dovecot: auth: Debug: client in: AUTH#0111#011LOGIN#011service=smtp#011nologin#011lip=127.0.0.1#011rip=127.0.0.1

As you can see remote IP address is '127.0.0.1' and not user's real IP address which is '10.1.10.1'
 
Is there any way I can force SMTP authentication to use user's real IP address and not Roundcube localhost address?