Roundcube Community Forum

 

associating usernames with geo location using maxmind database

Started by carlatpg99, June 14, 2024, 06:18:24 AM

Previous topic - Next topic

carlatpg99

I'd like a way to specify using either a plugin or as part of roundcube itself.

When someone attempts to login, I want to do the following:


  • Check their ip address against maxmind database.  Currently it is available in the file format of GeoLite2-City.mmdb.
  • Get their country code, state, and possibly the city.
  • Check against the username they are trying to login as against the country code, state, and city matches against the country code, state, and city they are allowed to login from.
  • If they are allowed to login from that location, attempt to log them in.  Then they can either be logged in if the correct password is sent or not.
  • If they are not allowed to login, show an error message.

Currently the way I am protecting it is by limiting which ip addresses can connect using the maxminddb module for apache based on the geolocation their ip address is coming from.  I also have the roundcube rcguard plugin enabled with a captcha required before you can login.

SKaero

That could be done with a plugin. Take a look at the autologon plugin that comes with Roundcube https://github.com/roundcube/roundcubemail/blob/master/plugins/autologon/autologon.php While you don't need the autologon part of the plugin you can see how you could use the authenticate hook to set "valid" to false if the lookup doesn't allow them to login.

carlatpg99

I found this on stack overflow: https://stackoverflow.com/questions/37674740/roundcube-autologon

But it isn't showing me how to restrict it to certain ip addresses or through where they are located using geoblocking using the maxminddb apache plugin.

This appears to require a form be filled in, in order for the plugin to work.  I'd want this done on the normal login page that roundcube uses.

carlatpg99

does the autologon plugin not use a config file like other plugins use?

It doesn't have a config.inc.php in it's directory /usr/share/roundcube/plugins/autologon

carlatpg99

I'll ask this another way.  How do I send the connecting ip address to the imap server?  I've already restricted the imap server to specific ip addresses and specific locations through geolocation.

JohnDoh

If you are running Dovecot then have a look at this plugin https://gitlab.com/takerukoushirou/roundcube-dovecot_client_ip which passes the client IP to the Dovecot uses X-Originating-IP and there is a little information on how to configure Dovecot to use that.

Alternatively if you already have the restrictions in Apache why not restrict access to the site in the Apache config?
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more...

carlatpg99

I am using hmailserver as my imap and smtp server.  Is sending X-Originating-IP and the ip address just another command as part of imap and smtp?

I already have restricted access through apache, but I want to restrict it on a per email address basis as each email address will have a different ip address restriction that includes using the maxmind db for geoblocking by setting an apache environmental variable indicating the ip address is from a country that is allowed.

carlatpg99

and attempting to use dovecot_ident, I'm getting this warning which I think is preventing me from using it as I do not see any x-originating-ip in the mail server logs for imap:

PHP Warning:  Undefined array key "ident" in /usr/share/roundcube/plugins/dovecot_ident/dovecot_ident.php on line 20

carlatpg99

Oh I realized that I didn't change it to use the plugin that you specified, now that I did that, the warning is gone.

However it is still not showing in the imap server logs the original ip address that is connecting to the apache server.  How is it sent over?