-
Notifications
You must be signed in to change notification settings - Fork 102
Plugins: Access Permissions
You must configure your email services to make use of access permissions. See below for implementation details.
Access restrictions is a system plugin and is enabled be default via application.ini:
vimbadmin_plugins.AccessPermissions.disabled = false
Some administrators may want to control which services your users can access (smtp, pop3, imap). For example, you may wish to force your users to use either of POP3 or IMAP for various reasons:
- force low value / non-critical / high-volume users to POP3 to save disk space;
- force internal / high value customers to IMAP to ensure their mail remains on the server where it may be part of a corporate backup procedure.
The actual implementation of this is very much mail server dependent. An example implementation is provided for Dovecot 2; we would appreciate the equivalent documentation for other servers to add to this page.
Firstly, the default access restriction setting for all users is ALL which means that they can access all available services. You can configure which services are available in the application.ini file. The default is:
; specify the options which should be allowed for access restrictions
vimbadmin_plugins.AccessPermissions.type.SMTP = "SMTP"
vimbadmin_plugins.AccessPermissions.type.IMAP = "IMAP"
vimbadmin_plugins.AccessPermissions.type.POP3 = "POP3"
which will display checkboxes containing SMPT, IMAP, etc to the administrator and enter a comma separated list of the selected services into the access_restriction field of the mailbox table such as smtp,imap (meaning the user can access (authenticate for) smtp and imap but not pop3.
The access restrictions are implemented during user authentication with the SQL backend. A typical ViMbAdmin authentication configuration would be:
password_query = SELECT username as user, password as password FROM mailbox WHERE username = '%u' AND active = '1'
To add access restriction to this, add the following clause to the end of the above:
AND ( access_restriction = 'ALL' OR LOCATE( '%Ls', access_restriction ) > 0 )
The above will result in a valid authentication for a given service (%Ls is the service name in lower case and for Dovecot is typically smtp, imap or pop3) if the user has no access restrictions (ALL) or if the service under consideration is one of the user's allowed services.
You can also read the following Dovecot pages:
System plugins have a few difference to non-system plugins: any database schema required by them is part of the core; files and templates are all bundled with the main code.
This is an example of that were we rely on the mailbox.access_restrictions database column.
This plugin comprises three files:
application/plugins/AccessPermissions.phplibrary/ViMbAdmin/Form/Mailbox/AccessPermissions.phpapplication/views/mailbox/form/access-permissions.phtml
The functionality is all controlled via two hooks in application/plugins/AccessPermissions.php:
This adds the access permissions subform to the add / edit mailbox form.
All validation is encapsulated within the subform class.
This sets the database column appropriately.