Author Topic: Blacklist accounts locally, not globally.  (Read 1370 times)

Offline CubaLindsell

  • Newbie
  • *
  • Posts: 1
Blacklist accounts locally, not globally.
« on: December 12, 2019, 11:09:49 AM »

We have a roundcube install fronting our POP/IMAP cluster using an LDAP backend for account information.
As with other ISPs we have found that many of our users have had their accounts compromised, probably by Windows malware or wifi sniffing.
Consequently we are being abused by those nice people in Lagos..

Rather than disable the account in LDAP and therefore stop the customers email entirely, we would rather just block them in Roundcube as many of them do not
use webmail at all.  The POP/IMAP accounts may also be used to authenticate into a user portal or ticket system.

I have created a new table, 'blacklist':

# mysql -sr -uroot -p -e "describe blacklist"
Field      Type                     Null        Key        Default Extra
name    varchar(128)                      YES              NULL     

The  blacklist contains all the mail accounts from our LDAP that have not made a POP/IMAP login during the last 12 months.
Others may have a different idea on populating the blacklist but that works for us.

So the general idea is to disable the account in Roundcube by subverting their password at login.

in /var/www/eclipse/program/lib/Roundcube/rcube-imap.php,
line 155, insert:

// We block access to any account in the blacklist table by nobbling their password as they try to login. 
            $sqluser = "<unset>";       //These should come from $config['db_dsnw'] in
            $sqluser = "<unset>";
            $db = "<unset>";
            $conn = new mysqli('localhost', '$sqluser', '$sqlpass', '$db');                                                                           
            if ($res = $conn->query("SELECT name from blacklist where name='$user';")) {                                     
                if ( $res->num_rows > 0 ){                                                                                                                                   
                        $pass = "Black_Listed";                                                                                                                                 

line 200, insert:

// Log the blacklist action so if a user complains they cannot login, support team can check logs.                                                                                                                       
                if ( $pass == "Black_Listed" ){                                                                                                                                                                                                       
                        $message = sprintf("User %s [ from %s ] found in blacklist, access denied.", $user, rcube_utils::remote_ip(), $this->conn->error);     
                } else {                                                                                                                                                                                                                                                 
                        $message = sprintf("Login failed for %s from %s. %s", $user, rcube_utils::remote_ip(), $this->conn->error);                                           

Could this idea or similar be in newer Roundcube release?

As you can tell, I am not a PHP programmer, specifically how to do the db connect properly in the Roundcube code style. Any help with that would be appreciated.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,621
Re: Blacklist accounts locally, not globally.
« Reply #1 on: December 13, 2019, 01:26:58 PM »
This could be done with a plugin and wouldn't be added into the core of Roundcube.