My Oracle Support Banner

MailAllowedServiceAccess With client.enableforcelogout Enabled, Does Not Allow For Selective IP Access (Doc ID 2743924.1)

Last updated on JANUARY 15, 2021

Applies to:

Oracle Communications Convergence - Version 3.0.2 and later
Information in this document applies to any platform.

Symptoms


The LDAP option mailAllowedServiceAccess with client.enableforcelogout enabled in Convergence, does not allow for selective IP access.

The client.enableforcelogout option was added to allow access filters to be applied to Convergence much like they are for the rest of Oracle Messaging Server services, however, selective access can not be applied.

For example, restricting http access to a specific IP address by adding +http:x.x.x.x to the mailAllowedServiceAccess LDAP attribute permits access to Convergence from any host, not just the host permitted by the filter.

See below for some examples where 192.x.x.x/16 is an internal network used to communicate between Oracle Messaging Server (OMS) and 10.x.x.x/8 is the network assigned to trusted clients and 172.x.x.x/12 to non-trusted clients.

Example 1: +imaps,pops:10.x.x.x/8$+imap,pop:192.x.x.x/16
Result:
- Access is explicitly permitted to both imaps and pops via MMPs from 10.x.x.x/8
- Access is implicitly denied to both imaps and pops via MMPs from 172.x.x.x/12 (access control filter on user forbids connection)
- Convergence authentication succeeds from both 10.x.x.x/8 and 172.x.x.x/12 followed by forced logout (you are not authorized to access this application)

Example 2: +imaps,pops,http:10.x.x.x/8$+imap,pop:192.x.x.x/16
Result:
- Access is explicitly permitted to both imaps and pops via MMP's from 10.x.x.x/8
- Access is implicitly denied to both imaps and pops via MMPs from 172.x.x.x/12 (access control filter on user forbids connection)
- Convergence authentication succeeds from both 10.x.x.x/8 and 172.x.x.x/21 with full access to mail services

Example 3: +imaps,pops:10.x.x.x/8$+imap,pop:192.x.x.x/16$+http:10.x.x.y
Result:
- Access is explicitly permitted to both imaps and pops via MMP's from 10.x.x.x/8
- Access is implicitly denied to both imaps and pops via MMPs from 172.x.x.x/12 (access control filter on user forbids connection)
- Convergence authentication succeeds from both 10.x.x.y and 172.x.x.x/21 with full access to mail services


EXPECTED BEHAVIOR
-----------------------

It is expected that Convergence should not allow access to non-trusted clients when it is implicitly denied in the mailAllowedServiceAccess LDAP attribute (in the same manner as other OMS services).


Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.