Authentication limited by IP
Idea shared by Paul White - 7/22/2015 at 7:26 PM
Here is what I need.  I need the ability limit the IPs allowed for authentication on POP, IMAP and SMTP on a user by user basis.  Example Lets say I have the email dave@davesdomain.com  I should be able to limit only the IPs and maybe to be able to authenticate under his account. Or even set limits for the whole domain.  I need to be able to specify exact IPs, or even blocks or ranges.  ( similar to firewall settings ).  I know this is not a perfect solution to security, but limiting the IPs to connect to a given account greatly reduces the exposure to dictionary attacks.  Also some security settings that would automatically add IPs to the global block list when they attempt to authenticate as a user who should not be connecting from that IP.  I don't want to hear the whole force more complex passwords answer either.  Been there,  It doesn't matter when users tend to use the same complex passwords accross multiple sites.  

2 Replies

Reply to Thread
I'm not sure you have thought this completely through. Even if this were possible, it is not practical.
Your users are going to want to check their email other than their home and work IP. What are they going to do when they are in starbucks and miss a big email, because you have the IP limited? They are going to be pissed. Or they hire a new employee, and he can not connect from his house?
I believe the way to handle this is with the tools SM already has. Setting the timeout periods for authentication failures, and blocking IP's for longer periods of time for the same thing. This page also has good protocol settings.
I don't think this is possible, as the IP isn't part of the authentication. I could be wrong on this. Might be able to be done in IIS but i can't imagine how, yet I am not really a server admin.
Did you encounter a specific incident that would make you want to do this.  Did you have an email account get hacked? Did you get blacklisted? Do you use a gateway server in/and or out? I would say you keep your cool, and listen to the others on this board for advice? Good luck!
Remember kids, every time a spam message gets blocked, a nerd gets their glasses. spamhurts/July 15
I am well aware of the issue with users wanting to get their email from everywhere, but some of these email addresses are only used in an office environment, and or a very limited number of IPs. I have had too many times where accounts get compromised, and it tends to be the same users each time. Even nicer would be to add allowed hostnames, that way RDNS could be used on the IP to verify what network it was on.
WhiteSites.com Blog.whitesites.com

Reply to Thread