Results 1 to 10 of 10

Thread: Restricting external access

  1. #1
    EiZ
    EiZ is offline New Member
    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    7

    Default Restricting external access

    Hello,

    I would like to restrict user access based on the following scheme :

    - if the client IP is from my internal network : full access granted
    - if the client IP is outside my internal network : access to web client and imap/pop proxy is restricted to a group of users.

    I plan to force the remote web access through a http reverse-proxy and put a zimbra-proxy in DMZ for remote imaps/pops access.

    So the access scheme can also be read this way :

    - if the client access the zimbra-apache server (which is only reachable from the internal network) : no restriction
    - if the client access the zimbra web client through the http reverse proxy OR if the client access the zimbra-proxy in DMZ : access is restricted to a specific group of users

    What is the best way to implement this policy ? Is there a way with COS ? Can PAM be used ? Must I rely on External Auth ?

    Thanks for your advices.

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    or leave Zimbra as is and use IPTables (or some variant). What version of Zimbra and O/S ? http://www.zimbra.com/forums/announc...r-profile.html

  3. #3
    osmedts's Avatar
    osmedts is offline OpenSource Builder
    Join Date
    Jan 2007
    Location
    Lyon, France
    Posts
    16
    Rep Power
    8

    Default

    That's not what EiZ asked. What you're pointing at is a way to restrict (in/out) SMTP. What he's searching is a way to restrict some users from logging in (through HTTP, POP, IMAP) when they use a specific zimbra proxy (basically, when they're outside the LAN).

    Is there a way to do that with an LDAP filter (used for domain authentication) ? Are there any parameters (%...) which can be used to check the client's IP or the zimbra proxy he's using ?

    Or maybe with a specific zimbra-proxy configuration ?

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    If using a reverse proxy why not use with say Squid and set up access groups ? I believe you could then tie the authentication in with the ZM LDAP. Just thinking out loud.

  5. #5
    EiZ
    EiZ is offline New Member
    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    7

    Default

    The reverse-proxy hackery will only work to limit the http access and I don't see how to avoid double sign on.

    PAM would be the saver here if zimbra auth component allowed a PAM stack traversal.

    But I believe zimbra does not use PAM. Am I wrong ?

  6. #6
    Cringer's Avatar
    Cringer is offline Loyal Member
    Join Date
    Oct 2006
    Location
    UK
    Posts
    75
    Rep Power
    8

    Question Update?

    Was a solution ever found for this?
    I know we are a couple of years on, and Zimbra has evolved quite a bit, but I also have the same requirements. Namely I only want a small subset of my Zimbra users to have external access. These will have higher password requirements, while the others can stay more relaxed.

    I know that via POP and IMAP I can indicate if a user is allowed access through a proxy or not, but can this also be done for HTTPS. Maybe some way of getting Zimbra to drop the connection once logged in if the user is in or out of an IP range.

    I have thought about setting up a separate proxy server and feeding it a limited LDAP range?

    Any feedback is very welcome.

    -Si-

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by mitesh.choksi View Post
    Is there an RFE already on this?
    You should search bugzilla to see if any RFE has been filed and file one if there isn't an applicable on in there.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    zliqhui is offline Starter Member
    Join Date
    Jun 2011
    Posts
    1
    Rep Power
    4

    Default

    Want to bump this topic.

    Is still there no solution?

    In mine scenario users from different domains will have or not have web access from outside network. If there is some difference.

  9. #9
    Cringer's Avatar
    Cringer is offline Loyal Member
    Join Date
    Oct 2006
    Location
    UK
    Posts
    75
    Rep Power
    8

    Default

    I solved my problem, buy giving all users very long and random passwords.
    Then using my own gateway to authenticate those users I trusted, and connecting them into Zimbra using the pre-auth ability of Zimbra.
    This dose mean that anyone using the mobile sync has to use a very long and complex password, but they all hand their phones into me to set-up. Those with laptops also have to go through me, but then I have full control over them.
    -Si-

  10. #10
    arctics is offline Member
    Join Date
    Nov 2011
    Posts
    12
    Rep Power
    3

    Default

    FYI, this RFE appears to reflect this issue, but doesn't have many votes, so might not be getting enough attention to have any action.

    https://bugzilla.zimbra.com/show_bug.cgi?id=66411

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 1
    Last Post: 03-17-2008, 06:07 AM
  2. Send mail to External is Access denied relay host
    By Nguy Tan Phuc in forum Administrators
    Replies: 8
    Last Post: 11-28-2007, 11:26 PM
  3. Replies: 5
    Last Post: 03-01-2007, 03:20 AM
  4. Allow access for mail deleivery from external server
    By nickteagle in forum Administrators
    Replies: 5
    Last Post: 02-28-2007, 10:35 AM
  5. Zimbra external access?
    By stormchas3r in forum Installation
    Replies: 2
    Last Post: 03-06-2006, 07:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •