Knowledgebase:
GeoIP Access Control for WebClient, IMAP, POP3, SMTP and /admin
Posted by Dayan D. Jeremiah, Last modified by Dayan D. Jeremiah on 18 September 2023 12:40 PM
For optimal email security and effective prevention of unauthorized account access resulting from compromised passwords, we strongly advise implementing GeoIP restrictions on WebClient, IMAP, POP3, SMTP and the /admin web-based administration page.

We offer a highly effective access restriction solution using IceWarp's Firewall and Account Login IP Restriction that limits access exclusively to specified IP Addresses and/or sub-nets. This proven method has been successfully deployed for numerous customers and can be implemented as follows:

1) Obtain and regularly update the country specific IP and sub-nets list from a reputable GeoIP provider, eg. http://www.ipdeny.com/ipblocks/data/countries/my.zone
2) Incorporate the obtained list into an IceWarp Pattern, eg. System > Advanced > Patterns > [GeoIP_MY]



3) Apply the created Pattern(s) to the desired service(s), eg. System > Services > General > Web > Access > Grant

(Apply the same Patterns to IMAP and POP3, DO NOT apply to SMTP (SMTP Restrictions will be managed by Login IP Restriction))



4) Apply the created Pattern(s) for All Users / Domains Login IP Restrictions, eg. Domains & Accounts > Policies > Login Policy > Login IP Restriction > Use account login IP restriction > [Login Restriction...] > *=[GeoIP_MY];[GeoIP_SG]



5) Restart ALL Services

By following these steps, you can significantly improve your access control measures and strengthen the security of your IceWarp environment.

The GeoIP based access grant can be implemented for the following scenarios:

- Country specific IP Addresses and/or sub-nets, eg. Malaysia, Singapore
- Your assigned Static Public IP Addresses and/or sub-nets
- Your assigned Internal IP Addresses and/or sub-nets
- Specific Public IP addresses and/or sub-nets used permanently or on an ad-hoc basis

Please note that SMTP services require the ability to receive connections from any IP address or sub-net, making it impossible to enforce Service Firewall-based access restrictions. Instead, SMTP access control will be managed using Login IP Restrictions.

Enforce strict IP and/or subnet authorization for accessing /admin
In order to guarantee that /admin is only exclusively accessed from authorized sources, entry to this web-based functionality will be confined to IP addresses and/or sub-nets that have been explicitly granted permission.



What you will need to proceed?

1) List of Countries to allow by default
2) List of Internal and Public IP Addresses and/or sub-nets you wish to grant access to WebClient, IMAP, POP3 and SMTP
3) List of Internal and Public IP Addresses and/or sub-nets you wish to grant access to /admin

For any additional information or assistance, please do not hesitate to reach out to our support team via email on support@icewarp.com.my
(0 vote(s))
Helpful
Not helpful