Each Service in VPOP3 has an IP Access Restrictions tab. This tells VPOP3 which networks/computers can access this part of VPOP3, and, in some cases, which users can access this part of VPOP3 from which computers.
The basic functionality is the same for each service, but different services may be slightly difference. For instance, some services (SMTP and LDAP) can support anonymous usage as well as authenticated usage, so the IP Access Restrictions can be set to indicate which computers can access it anonymously. Other services (eg Finger) do not support authentication, so it is not possible to restrict access by user.
This page will describe the most functional IP Access Restrictions settings, with all the options, but the particular service you are using may not have the Allow Unauth or Users columns.
The Use Global Access Restrictions option tells VPOP3 to use the Access Restrictions set on the Global services page as well as the service-specific Access Restrictions. If either will block the connection, then the connection will be blocked. Generally this is turned off because it can cause confusion, but the option is there if you wish to use it.
The restriction table has four or more columns. In this case it has six columns, but the Allow Unauth and Users columns may not be relevant for the particular service you are configuring.
Restrict - this column tells VPOP3 whether to Allow or Block connections from the assigned computers.
Type - this indicates how the computers assigned to this rule are defined. These are described below.
Address - this usually indicates the host or network address for this rule.
Prefix - this indicates the CIDR prefix for the network for this rule (eg /24 is equivalent to a subnet mask of 255.255.255.0, /32 is a single IPv4 host, /128 is a single IPv6 host).
Allow Unauth - this indicates whether unauthenticated/anonymous access is allowed from the assigned computers. This option is only available if unauthenticated access is optional for a particular protocol - eg SMTP or LDAP.
Users - this indicates which users are allowed to access from the assigned computers. This defaults to all users. This option is only available when authentication is used for the protocol.
The entries in this table are processed in order from top to bottom, and the first entry which matches is used. Entries are sorted in this table automatically with more specific entries at the top, and less specific ones lower down. Note that when you edit or add a new entry, they are not sorted immediately, but if you reload the page after saving any changes, the sorted order will be displayed.
The Type column can be:
•Routers - this indicates the Default Gateway address(es) assigned to this computer. These are detected when VPOP3 starts up. Usually you will block access to these addresses since your router will not want to access your mail or send outgoing mail. Blocking access to your routers will NOT usually block access to remote users (unless your router is acting like a proxy server, which is rare).
•Local Networks - this indicates the local network(s) assigned to this computer. These are detected when VPOP3 starts up. The default configuration is that these are allowed. Note that VPOP3 can only detect local networks directly connected to the VPOP3 computer, not other local networks which may be accessed via a local router. The networks detected by VPOP3 are indicated below the access restrictions table in a section titled Detected Network Info.
•IPv4 Network/Host - this indicates a specified IPv4 network or host.
•IPv6 Network/Host - this indicates a specified IPv6 network or host.
•GeoIP Lookup - this indicates that the IP address should be looked up in a local database, and then checked against the specified data. Often this is used for blocking IP addresses using geolocation (eg in the above example, connections are not allowed from IP addresses in Russia or China). See the GeoIP Lookup topic for more information.
•Any IPv4 Host - this indicates any IPv4 host.
•Any IPv6 Host - this indicates any IPv6 host.
•Any Host - this indicates any IPv4 or IPv6 host.
To add a new restriction, press the Add button below the table. The remove one, select it, and press the Remove button. The Defaults button will remove all entries and replace them with a simple default setting (block routers & allow local networks).
To edit a restriction, double-click it.
You can choose all the options here. To select a single computer, type the IP address in the Network Address box and choose Single Host from the Subnet list. To select a network, type the network address (eg 192.168.1.0 in the Network Address box), and choose the appropriate subnet mask/CIDR prefix from the Subnet list.
Technical Note Note that the network address is not a valid IP address. For a 255.255.255.0 network, the last number should always be 0. In general, any binary digits (bits) in the network address after the CIDR prefix count are zeros, so in a /24 network (255.255.255.0) and bits after the first 24 bits are zeros, so if an IP address is 192.168.1.57, that is 1100 0000 1010 1000 0000 0001 0011 1001. By setting the bits after the first 24 bits to zeros, you get 1100 0000 1010 1000 0000 0001 0000 0000, which is displayed as 192.168.1.0 |
If you don't select any users from the Users list, then VPOP3 treats it as if all users have access.