GeoIP lookup in VPOP3's Service Access Restrictions can be used to specify that only IP addresses from certain countries can access VPOP3 services. Many people use this type of restriction to prevent access from countries commonly used by attackers.
In fact, the VPOP3 GeoIP facility isn’t limited to GeoIP data. Essentially it has a database which matches IP address ranges to a ‘tag’ and then you can check against the tags. A common use would be GeoIP – the tags would be country codes – but it could be used for other things as well. As the database is queried live, you could even update the database dynamically and have VPOP3 update its access restrictions automatically.
However, a common use is GeoIP, so that is what this article will describe.
The first thing is that VPOP3 does not include any GeoIP data. This is partly due to licensing restrictions of such data, and also because it often changes, and there are different sources.
So, to use the GeoIP facility, you need to obtain GeoIP data and import it into VPOP3.
One free GeoIP database source is GeoLite from Maxmind, so that is what this article will use. You need to decide what sort of data you will be checking against. For this example we will use the GeoLite Country database. You can also check against cities, or ASNs (essentially checking against Internet providers’ ranges).
For these steps you need the CSV database, so to download the GeoLite Country database, go to http://dev.maxmind.com/geoip/legacy/geolite/. At the bottom is a Downloads section, click on the Download link in the “CSV/zip” column for GeoLine Country. This file is about 1MB. Extract the CSV file from there to a temporary location (eg c:\temp).
If you want, you can open up this file to see what it contains. It will easily open in a text editor, or a spreadsheet program. Each line contains 6 columns. The first two are an IP address range – eg “18.104.22.168” to “22.214.171.124”. The second two columns are the same data but as a 32 bit integer rather than dotted IP addresses (it isn’t significant how these are calculated as we are going to ignore these). The fifth column contains the ISO country code for the country in question, eg ‘AU’ for Australia, or ‘GB’ for the United Kingdom. The sixth (last) column contains the name of the country/region, eg ‘Germany’ or ‘Russian Federation’. For our purposes we’ll be using the first two and fifth columns so we can link the IP address range to the country code.
What we need to do is import this data into the VPOP3 database.
We have created a tool you can download to import the data. It’s called VPOP3GeoImport and it is run from a command prompt. To use it, download the file from http://www.pscs.co.uk/downloads/vpop3/VPOP3ImportGeoIP.zip and extract into the VPOP3 installation directory. Then, from a command prompt run it as:
VPOP3GeoImport [options] importcsv <filename> 125
Normally you won’t need any options, but if you run “VPOP3GeoImport -?”, you will get a list of options available. (The ‘125’ at the end tells the program which columns to import, in this case, columns 1, 2 and 5).
This program will delete all existing data in the GeoIP database within VPOP3 and then add the data from the CSV file. Note that you do not need to stop VPOP3 while you perform this operation.
To use the GeoIP data, in the relevant VPOP3 Access Restrictions settings, select the GeoIP Lookup type in your access restriction, and enter the desired ‘tags’ in the Address box. In the case of the above country GeoIP data, the tags would be ISO country codes, eg US, GB, etc. To specify multiple tags to look for, you can separate them with commas or semicolons. The Access Restriction rule will match if any of the tags are matched.
The GeoIP data is stored in a database table called geoipv4. This has 4 columns:
•id – numeric primary key, assigned by the database
•addrfrom – IP address at the start of the range
•addrto – IP address at the end of the range
•result – the data to be retrieved if the searched IP address is within the range addrfrom <= address <= addrto
If multiple entries match the searched IP address, then each result will be checked against the specified access restrictions.