Restricting external access

[EiZ]

Hello,

I would like to restrict user access based on the following scheme :

- if the client IP is from my internal network : full access granted
- if the client IP is outside my internal network : access to web client and imap/pop proxy is restricted to a group of users.

I plan to force the remote web access through a http reverse-proxy and put a zimbra-proxy in DMZ for remote imaps/pops access.

So the access scheme can also be read this way :

- if the client access the zimbra-apache server (which is only reachable from the internal network) : no restriction
- if the client access the zimbra web client through the http reverse proxy OR if the client access the zimbra-proxy in DMZ : access is restricted to a specific group of users

What is the best way to implement this policy ? Is there a way with COS ? Can PAM be used ? Must I rely on External Auth ?

Thanks for your advices.

[uxbod]

or leave Zimbra as is and use IPTables (or some variant). What version of Zimbra and O/S ? http://www.zimbra.com/forums/announc...r-profile.html

[osmedts]

That's not what EiZ asked. What you're pointing at is a way to restrict (in/out) SMTP. What he's searching is a way to restrict some users from logging in (through HTTP, POP, IMAP) when they use a specific zimbra proxy (basically, when they're outside the LAN).

Is there a way to do that with an LDAP filter (used for domain authentication) ? Are there any parameters (%...) which can be used to check the client's IP or the zimbra proxy he's using ?

Or maybe with a specific zimbra-proxy configuration ?

[uxbod]

If using a reverse proxy why not use with say Squid and set up access groups ? I believe you could then tie the authentication in with the ZM LDAP. Just thinking out loud.

[EiZ]

The reverse-proxy hackery will only work to limit the http access and I don't see how to avoid double sign on.

PAM would be the saver here if zimbra auth component allowed a PAM stack traversal.

But I believe zimbra does not use PAM. Am I wrong ?

[Cringer]

Was a solution ever found for this?
I know we are a couple of years on, and Zimbra has evolved quite a bit, but I also have the same requirements. Namely I only want a small subset of my Zimbra users to have external access. These will have higher password requirements, while the others can stay more relaxed.

I know that via POP and IMAP I can indicate if a user is allowed access through a proxy or not, but can this also be done for HTTPS. Maybe some way of getting Zimbra to drop the connection once logged in if the user is in or out of an IP range.

I have thought about setting up a separate proxy server and feeding it a limited LDAP range?

Any feedback is very welcome.

-Si-

[mitesh.choksi]

There is a need for such a restriction in general for business that have not used hosted email models. Such businesses are not having any other data protection mechanisms and therefore want the data to reside on local servers only.

Is there an RFE already on this?

[phoenix]

Quote:

Originally Posted by mitesh.choksi

Is there an RFE already on this?

You should search bugzilla to see if any RFE has been filed and file one if there isn't an applicable on in there.

[zliqhui]

Want to bump this topic.

Is still there no solution?

In mine scenario users from different domains will have or not have web access from outside network. If there is some difference.

[Cringer]

I solved my problem, buy giving all users very long and random passwords.
Then using my own gateway to authenticate those users I trusted, and connecting them into Zimbra using the pre-auth ability of Zimbra.
This dose mean that anyone using the mobile sync has to use a very long and complex password, but they all hand their phones into me to set-up. Those with laptops also have to go through me, but then I have full control over them.
-Si-