restict to webmail only

[benbroad]

Hi, we have a new project on the go that requires the users to be able to access their mail via webmail but not from an email client. With the exception of our office here.

How should we set up the firewall so that the webamil system works but only we have access using Thunderbird?

All ideas welcomed.

b.

 

[tmonsen]

Not certain why you would want to do this, but you should be able to simply block port 110 from all IP's except your local network, and the server IP/IP's. Webmail clients would be able to access the server through port 80 and your local system would authenticate through port 110 as usual.

 

[benbroad]

Mine is not to reason why. The client has a large number of employees who work off site. It wants them to be able to use webmail but not to allow email client / external access to prevent "misuse". Still, interesting challenge though.

I think it was the fear of other people sending emails through their server that they were most afraid of.

Thanks for your help.

 

[tmonsen]

Certainly a challenge. If the intent is to keep outside sources from sending through the server, blocking port 110 won't help at all. It would only keep the user's from checking mail. Unfortunately you can't do the same for port 25 (well you could, but then you wouldn't be able to receive any email from outside the network, probably less desirable).

Technically, other users wouldn't be able to send mail through the server, without authenticating on the server anyway (of course in practice we know that systems can be hacked, abused, etc).

Hopefully someone who's used the system longer than myself will have some additional insight, but I can't think of any good way to reject attempts at sending through the server without blocking the necessary port 25.

Good Luck,

 

[benbroad]

I had a feeling that might be the answer.

I have enabled "Only use of full POP3/IMAP mail accounts names is allowed" and we can put something in place to make sure the passwords are sufficiently strong.

I think that may have to do.

 

[benbroad]

Maybe there is light at the end of the tunnel.... It looks like it may be possible to only allow relaying from localhost - so sending mail is fine, but still allowing incoming mail from anywhere. I will keep you posted incase anyone else ever has to do this bizarre setup.

 

[benbroad]

I am going to have a play with this tomorrow:
http://www.mail-abuse.com/an_sec3rdparty.html#Qmail

 

[ShadowMan@]

If you are referring to the one on "that grants relay access to users with valid POP3 accounts, regardless of the network address they come in on.", then this is already true if you have set Plesk properly:

Server -> Mail
Under 'Relaying', set it for 'authorization is required', only put checkmark in 'SMTP' (not POP).

Passwords: On the same screen, put a checkmark in 'Check the passwords for mailboxes in the dictionary'

And select 'Only use of full POP3/IMAP mail accounts names is allowed'.

Nothing will really help if the server gets hacked / rooted since then they could create legitimate accounts to send mail through... To help protect against this, you should check into using ART's (atomicrocketturtle) ASL (atomic secured linux) project, or at the very least mod_security.

Also keep all app packages (such as phpBB) up to date to minimize email abuse via susceptible scripts.

 

[benbroad]

No, I know how to "grants relay access to users with valid POP3 accounts, regardless of the network address they come in on". I have done that for our other servers and I am happy with our general security.

Like I say, our client has specified that they only want their employees to use their email via the webmail system. The only exception will be our office here.