0

In a fully-working email server (setup with iRedmail in this case) with RoundCube for webmail, and Dovecot/Postfix/etc, how can you disable external client connections to IMAP/SMTP/POP3 and make the server webmail-only for email? I believe Roundcube connects directly to Dovecot for user authentication when logging in, so this makes it tricky.

I tried updating Dovecot SQL query in /etc/dovecot/dovecot-mysql.conf, to reject all IMAP requests if remote IP address is not the server which hosts Roundcube webmail (e.g. 127.0.0.1): Sample SQL query:

# Original SQL query in dovecot-mysql.conf:
#user_query = SELECT ... FROM mailbox,domain WHERE ...
# Modified:
user_query = SELECT ... FROM mailbox,domain WHERE ... AND '%r' = '127.0.0.1'

But this locked all users out from RoundCube login. Removing it (and restarting dovecot service) instantly allowed login again. Is there another way?

rcd
  • 121
  • 4
  • Firewall, just like you would block any other type of traffic. –  Dec 13 '13 at 23:09
  • or return the [allow_nets](http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets) extra field from your `passwd_query` – Gryphius Dec 14 '13 at 05:25
  • Unfortunately, blocking the firewall also means the server can't receive/send mail from the outside world (from mail servers); at least with SMTP. Though this might work with IMAP – rcd Dec 22 '13 at 21:18

1 Answers1

1

Does it work to put listen = 127.0.0.1 in /etc/dovecot/dovecot.conf?

Also, in roundcube.conf, make sure you have

$rcmail_config['default_host'] = '127.0.0.1';

instead of pointing to a hostname, which can resolve to a different IP address and so be denied.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • Thank you for the help. the `listen = 127.0.0.1` did lock out external client connections and allow RoundCube to continue working, but then the server could not receive inbound mail (local delivery worked, but delivery from elsewhere on the internet failed completely; removing it allowed external (from another domain/server) incoming mail to be delivered). – rcd Dec 15 '13 at 18:55
  • You have to tell IMAP from SMTP. SMTP __should__ be accessible at least from localhost and your MX. If you restrict access to the SMTP/Postfix from localhost only - noone can send you the message from outer space. – Kondybas Jan 07 '14 at 21:24