LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   blocking pop3 account (https://www.linuxquestions.org/questions/linux-networking-3/blocking-pop3-account-450371/)

devan1p 05-31-2006 07:55 PM

blocking pop3 account
 
How can I block a user from accessing his pop3 account? Is it through iptables or is there some other way?

joseph 05-31-2006 10:17 PM

you can try to use iptables with the line somthing like this

iptables -A INPUT -p tcp -i eth0 -s 192.168.0.xxx/32 --dport 110 -j DROP

where eth0 is ur ethernet which serve the connection from your user and 192.168.0.xxx is the ip address of your user

Hope this helps you

Thanks

withjigs 05-31-2006 11:03 PM

But that would drop all incoming POP3 requests... and not a particular user... i guess one can disable the user's linux account...but i am not sure

joseph 05-31-2006 11:14 PM

Quote:

Originally Posted by withjigs
But that would drop all incoming POP3 requests... and not a particular user... i guess one can disable the user's linux account...but i am not sure

Nope, that will only drop a connection from a specified ip.
thats mean only user who has ip address 192.168.0.xxx will be rejected by mail server.

Note :
Change xxx into your user ip.

osor 05-31-2006 11:15 PM

Quote:

Originally Posted by withjigs
But that would drop all incoming POP3 requests... and not a particular user...

Correct, he should have used the output chain... and that's why the nice people at netfilter created the owner matching module:

Code:

iptables -A OUTPUT -p tcp --dport 110 -m owner --uid-owner 500 -j LOG --log-prefix 'Joe unable to get mail. '
iptables -A OUTPUT -p tcp --dport 110 -m owner --uid-owner 500 -j DROP


osor 05-31-2006 11:20 PM

Quote:

Originally Posted by joseph
Nope, that will only drop a connection from a specified ip.
thats mean only user who has ip address 192.168.0.xxx will be rejected by mail server.

Note :
Change xxx into your user ip.

I see. I think there is a fundamental difference in how we are interpreting the OP question. If you have a POP server (from which you want to deny traffic to someone), we would use your method. The thing is, if you are running a POP server, it would be much easier to disable that user's account from the server.

The other situation is a machine with many users, one of whom needs denial to port 110. In that case my way works.

osor 05-31-2006 11:22 PM

Oh now I see what joseph means. He is putting the filter on a firewall/gateway of an internal LAN to block access from a specific LAN member. Sorry about that. I think the OP should have been more specific.

paul_mat 05-31-2006 11:26 PM

the other option of course, and something I would consider easier, edit the pam module to disallow all users in a text file

here is mine, it's not right, but it'll give you an idea

auth sufficient pam_pwdb.so
account sufficient pam_pwdb.so
account required pam_listfile.so onerr=fail file=/etc/postfix/usernames item=user sense=allow
account required pam_winbind.so
auth required pam_winbind.so

That is my /etc/pam.d/dovecot file that says

do you have a local account? if yes your in
do you have a winbind account? if yes your go to next
are you in the text file? if yes your in

you'd just want to change it to

are you in the text file? if yes your out

I think this would do it

auth required pam_listfile.so item=user sense=deny file=/etc/bad.pop3 onerr=succeed


All times are GMT -5. The time now is 06:47 AM.