Prevent External Access from outside LAN

[Sir Bob]

Hello,

I have come across several posts that restrict users from certain external resources, but haven't quite found info on my particular situation. That being...

We have one Zimbra server with an internal IP and external IP with no firewall in place between email and internet. What I am looking to do is stop web access for any one that is not coming from an IP on our LAN or connecting to our LAN through a VPN. Internal users should be able to send internally as well as externally, but users sitting at home with no VPN will not have access to their email. Our current version of Zimbra is 5.0.4.

As this is something I've never considered before, can someone begin pointing me in the right direction? I would prefer not to implement other hardware to incorporate this change if not necessary.

Sir Bob

[uxbod]

Does your router not even have a basic firewall ? How are they VPN'ing in ?

[Sir Bob]

Hello, and thanks for the quick response.

We have firewalls in place for each internet cct (one for general surfing and one for site to site and client VPN activity) with DNS being done internally. Internal users connect to the private IP when accessing email though external users access the public IP. This is what we want to prevent, due to a recent "issue" with a spammer.

I realize that exposing the email server to the internet without a firewall in place is not the most responsible thing to do. VPNs come through our firewall to the VPN server, which allows access to the LAN. This is an old network and many things were not implemented properly when first installed. Changes are on the way, but change is slow and the list is long....

Sir Bob

[uxbod]

Are you external users on static IP's?

[Sir Bob]

External users do not have static IPs. Most people accessing the email from the outside are travelling or work from home with DHCP assigned IPs. All external users though do have VPNs to connect.

[uxbod]

Sorry, i must be So who does connect to the external IP for the web client ? anybody ? or do you just want to allow SMTP traffic to your server ?

[Sir Bob]

Hi and probably I could be explaining this a little more clearly.

Most users from home access their emails from the public IP (external DNS through EasyDNS), without the use of their VPN (typically only used to gain access to network shares).

What I am trying to achieve is that external users will only have access to their email by using the VPN connection. If they try to connect without the VPN connected, then they will not get email. We do have one client located overseas that can not use the VPN due to external issues. Once configured, they should not have access to email, but this issue will be dealt with using other means.

In short, no one gets access to the email through the public IP. Only through the VPN assigned IP and the LAN will email be available. Hope this clears the muddy waters I've created.

[bdial]

ultimately it comes down to is there ip acl's built in to the zimbra services? no, there isn't. there may be some way to restrict via ip in jetty but it would be unadviseable to modify it there because it won't survive upgrade and could cause problems.

teh best solution if you don't have a firewall is to run firewall rules on the server itself with iptables.

[rocks]

did you ever get this resolved?

[Sir Bob]

Hello,

We have since moved on and up from this and have things working in a different configuration.

SirBob