How to Specify Networks with MailAllowedServiceAccess Attribute? (Doc ID 2539999.1)

Last updated on DECEMBER 21, 2022

Applies to:

Goal

Attempting to restrict access to accounts by allowing only IMAPS and POP3S from permitted IPs by using the mailAllowedServiceAccess LDAP attribute.  Need to be able to allow access from IP addresses in a third party data center and deny access to all other services.

The syntax for the mailAllowedServiceAccess attribute does not appear to allow networks to be specified efficiently and the data center has several /23 and /24 netblocks that need to be permitted (approximately, 3000 IP addresses in total).

With the IP addresses having no reliable PTR records and not owning the IP, we can't rely on domain.  So we have no control over DNS.  It is unclear if the documentation for the mailAllowedServiceAccess attribute illustrates a method to specify IP ranges or CIDR blocks but in testing, it appears that IP address is acceptable. 

Is there an efficient method for specifying multiple IP addresses without having to list every single IP?

An attempt to use an asterisk ('*') as a wildcard in similar fashion to how it is used for mapping tables. As an example, to permit access to IMAPS and POP3S from xxx.xxx.xxx/23 where zzz.zzz.zzz/24 is the network where the MMPs reside:

+imaps,pops:xxx.xxx.xxx.* xxx.xxx.xxy.*$+imap,pop:zzz.zzz.zzz.*

In testing this does appear to work.  Is this an acceptable format?
 

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.