Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
 
Go Back   Zimbra - Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Restricting external access

Welcome to the Zimbra - Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 03-26-2008, 08:39 AM
EiZ EiZ is offline
New Member
  
Posts: 3
Default Restricting external access
Hello,

I would like to restrict user access based on the following scheme :

- if the client IP is from my internal network : full access granted
- if the client IP is outside my internal network : access to web client and imap/pop proxy is restricted to a group of users.

I plan to force the remote web access through a http reverse-proxy and put a zimbra-proxy in DMZ for remote imaps/pops access.

So the access scheme can also be read this way :

- if the client access the zimbra-apache server (which is only reachable from the internal network) : no restriction
- if the client access the zimbra web client through the http reverse proxy OR if the client access the zimbra-proxy in DMZ : access is restricted to a specific group of users

What is the best way to implement this policy ? Is there a way with COS ? Can PAM be used ? Must I rely on External Auth ?

Thanks for your advices.
Reply With Quote
  #2 (permalink)  
Old 03-26-2008, 08:51 AM
Moderator
  
Posts: 5,806
Default
or leave Zimbra as is and use IPTables (or some variant). What version of Zimbra and O/S ? http://www.zimbra.com/forums/announc...r-profile.html
__________________
SplatNIX IT Services :: Innovation through Collaboration™


http://www.messagefortress.com
Reply With Quote
  #3 (permalink)  
Old 03-26-2008, 09:19 AM
OpenSource Builder
  
Posts: 16
Default
That's not what EiZ asked. What you're pointing at is a way to restrict (in/out) SMTP. What he's searching is a way to restrict some users from logging in (through HTTP, POP, IMAP) when they use a specific zimbra proxy (basically, when they're outside the LAN).

Is there a way to do that with an LDAP filter (used for domain authentication) ? Are there any parameters (%...) which can be used to check the client's IP or the zimbra proxy he's using ?

Or maybe with a specific zimbra-proxy configuration ?
Reply With Quote
  #4 (permalink)  
Old 03-26-2008, 09:23 AM
Moderator
  
Posts: 5,806
Default
If using a reverse proxy why not use with say Squid and set up access groups ? I believe you could then tie the authentication in with the ZM LDAP. Just thinking out loud.
__________________
SplatNIX IT Services :: Innovation through Collaboration™


http://www.messagefortress.com
Reply With Quote
  #5 (permalink)  
Old 03-26-2008, 10:43 AM
EiZ EiZ is offline
New Member
  
Posts: 3
Default
The reverse-proxy hackery will only work to limit the http access and I don't see how to avoid double sign on.

PAM would be the saver here if zimbra auth component allowed a PAM stack traversal.

But I believe zimbra does not use PAM. Am I wrong ?
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

Zimbrablog.com


Home - Blog - Contact Us - Archive - Top


 

Search Engine Optimization by vBSEO 3.1.0