IP Access Restrictions

IP access restrictions let you control which IP addresses can reach your CeyMail dashboard. You can block specific IPs, restrict access to a known set of addresses, or combine both approaches with allow and deny rules.

Enabling restrictions

Navigate to Settings > Security and toggle IP Access Restrictions on. When disabled, all IP addresses can access the dashboard normally. When enabled, the system evaluates incoming requests against your rules and default policy.

Default policies

The default policy determines what happens to IPs that don't match any rule. Choose one of two modes:

Allow All (recommended for most setups)

All IPs can access the dashboard by default. Add deny rules to block specific addresses. Use this when you want to block a few known bad actors while keeping the dashboard generally accessible.

Deny All (strict mode)

All IPs are blocked by default. Add allow rules for each IP that should have access. Use this when you want maximum security and know exactly which IPs need access.

Adding rules

In the Add Rule section, specify:

Rules take effect immediately after saving. You can have up to 200 rules.

CIDR notation

CIDR ranges let you allow or deny entire networks with a single rule instead of adding individual IPs:

Both IPv4 and IPv6 addresses are supported. IPv6 CIDR notation works the same way (e.g., 2001:db8::/32).

How rules are evaluated

When a request comes in, rules are evaluated in this order:

1. Deny rules first -- if any deny rule matches the client IP, the request is blocked
2. Allow rules second -- if any allow rule matches, the request is allowed
3. Default policy -- if no rule matches, the default policy applies

This means deny rules always take precedence. If you have both an allow and a deny rule covering the same IP, the deny rule wins.

Safety features

Several safeguards help prevent accidental lockout:

• Localhost always has access -- requests from 127.0.0.1 and ::1 bypass all IP restrictions, so local server processes always work
• Auto-add on Deny All -- when switching the default policy to Deny All, your current IP is automatically added as an allow rule
• Deletion warnings -- when deleting an allow rule that protects your current IP while in Deny All mode, the system warns you before proceeding
• Rules survive license expiry -- if your Business license expires, existing IP rules remain enforced so your security posture doesn't silently degrade. You won't be able to add or modify rules until you renew, but existing rules keep working

Your current IP

When restrictions are enabled, the dashboard displays your current IP address at the top of the Security tab. This is the IP that the server sees -- if you're behind a NAT, VPN, or proxy, it may differ from your local machine's IP. Use this displayed IP when creating allow rules for yourself.

Recovery

SSH recovery steps

1. SSH into your server using your regular server credentials

2. Run the recovery command:

sudo ceymail ip-recover

3. What it does:

   • Disables all IP access restrictions
   • Invalidates all active dashboard sessions (forces everyone to log in again)
   • Cleans up the restriction snapshot files
   • Writes an audit log entry recording the recovery

4. Log back in to the dashboard and reconfigure your IP rules

The recovery takes effect immediately -- no server restart is needed. After running the command, you can access the dashboard from any IP address. Navigate back to Settings > Security to set up your rules again.