Filtering user access per account

[PNE]

It is maybe too much I'm asking for but anyway I'll try it. Is there a way to filter users' access to their mailboxes based on account and IP adress? For example:

user1 can access his mailbox from local subnets only
user2 can access his mailbox from local subnets and/or another specified public IP
user3 can access his mailbox from everywhere

Why would I want this? Most of my users for sure do not need to access their mailboxes when out of office. Some of them are at remote location (with static IP) and so they need access just from their IP and rest of them are travelling a lot and need access from everywhere. When I open POP3/IMAP/HTTPS at firewall it is for everyone and there are some security concerns. Even when "secure ports" are used so passwords exchange is protected, there is no protection when attacker tries to guess users' password and succeeds. If only selected account were accessible from the outside, the risk would be lower.

[KevinH]

There is no way in Zimbra itself to control this. Most people who need this level of control will close all ports to the outside and then use a VPN to allow only certain user's access. This kind of fine ACL control at the network level is outside the scope of Zimbra itself.

[scottnelson]

If you have "TLS" only checked and SMTP Auth is on by default, you should be good to go security-wise anyway.

We have gone a step further and blocked everything except for tcp-25 ( SMTP ), DNS and VPN, on the firewalls for incoming connections from anything that is not based in US so, you could do that can gain some extra security if you want. Why block at one device when you can block for all your devices at a single point?
YMMV I guess. :-)

I tried to do what you are trying to do on our mail servers at one point in time and it got too messy after while, as there was always someone on vacation, at a hotel lobby, etc., that needed access and I would have to add their IP Address or network, to the mail server for access and then restart the service EACH TIME I made a change. Got old after a while.
Plus by doing this on the main border firewall anyway, you can track and block script kiddies for the whole internal network easier anyway.

I agree with the VPN suggestion if you really want to get double authentication and stop the "pass-by scans" by script kiddies but it does take more work in both knowing how to run it and client software support issues always arrise so, it's not a "white horse" by any means.

We block all non-us network ranges at the main firewall for everything except for SMTP, DNS and VPN stuff. If someone goes to another country, they can still VPN in using AES-256 level encryption and get everything that way. So far it's worked out OK and no more "mad have-to-have-it-now" changes to the mail server in the middle of the business day kinda stuff.

Looking at the whole Zimbra package I'm not sure why, assuming TLS only checked and SMTP auth is not circumvented, you would want to restrict it in that manner anyway really, other than the way we do it above.

Net Ranges starting point for weeding out by country can be found here:
http://www.completewhois.com/statistics/index.htm
and of course http://www.arin.net

Anyway, all IMHO, YMMV, etc., etc. ;-)

Scotty

[PNE]

Thank for your responses. In fact we are already using VPN and it is satisfying. VPN use is quite restrictive here (only from authorized computers + smartcards) and I just wanted to loosen mail access a little bit. Filtering by country is no option for us as our commercial staff is travelling really a lot. And I am not very surprised that Zimbra will not add such a feature as Kevin wrote. I just hoped that someone already had solved it at mail server level.

[scottnelson]

Thank for your responses. In fact we are already using VPN and it is satisfying. VPN use is quite restrictive here (only from authorized computers + smartcards) and I just wanted to loosen mail access a little bit. Filtering by country is no option for us as our commercial staff is travelling really a lot. And I am not very surprised that Zimbra will not add such a feature as Kevin wrote. I just hoped that someone already had solved it at mail server level.

It's probably not high on Zimbra's list of things to do.
Why can't you just restrict your remote users IP Addresses on the Internet firewall?
Are you users really not that trustworthy?
I am not sure I follow what you are trying to do here really I guess.
Is user1 attempting to read/access user2's mail?
If so, not sure it's a technical issue really? ;-)
If this is the case, it may help to modify the preferences in the 'Class of Service' section, 'advanced' so that the users have to:

1. maybe set the minimum password length/age/ to something higher
2. enable password history
3. set session idle timout to something lower

My point is, I am not sure what security risk you are trying to protect against really.
Non-emloyee logins from outside your network or your own users hacking each others e-mails.

Feel free to correct me if I totally missed what you are saying. ;-)

Being a network and firewall security person for more than 15+ years and not a sys/mail admin really, it makes more sense to me to do it at the firewall or router access list level, than to have to make changes on the server, by IP Address whenever there are moves/adds or changes and which would require me to restart a service or services on the mail server interupting access to all of the other users so that the change would take effect.

disclaimer: I still could be missing your security requirement. :-)

Scotty

[PNE]

Scotty,

1. Majority of our users (Group1) does not need e-mail access from outside world at all.

2. Another part (Group 2) is travelling a lot around the world and they need access from ANY location, so there is no need for any kind of IP filtering at any level. Just free access from everywhere, no settings on firewall or mailserver.

3. Remaining users (Group 3) are at remote office with static IP and it of course can be solved by firewall filter, no doubt about it and we can consider it solved.

My concerns are about any attacker who would try to guess username/password and then get into mailbox. If all mailboxes are accesible, and they all need to be for Group2 to have access, all mailboxes are at some risk. There is still a little chance that attacker may succeed - even when passwords are strong (but Zimbra cannot really force it, if I decide to have easy password who can deny me?) and often changed. Of course I know that every public e-mail server takes such risk.

If some mailboxes (Group 1) would be set to no access from outside at mailserver level using some kind of local subnets parameter, just as postfix uses for relaying, the risk would be narrowed down to Group2 mailboxes. For Group2 people I do not want do manage any kind of allowed IPs at firewall level. I do not know where they will sleep next night, it would be an overkill. Just as your experience has been.

Hope it is clearer soon, sorry for my English.

[scottnelson]

Hm, so 2 and 3 seem OK or solved.

How many users fitting Item #1 above are we talking about?

If all you're ( and me as well ) are worried about is password cracking or password guessing then maybe a another way, I just submitted to Zimbra a request via bugzilla, ( Bug/Feature request 8470 ) to add checkbox under "Class Of Service" , "Advanced" that when checked, forces user(s) to provide a complex password and not something that can be guessed. ( IE: Must have/contain special characters, at lease one upper and one lower case letter, one number, etc., etc. )

Then just set the minimum length, .,etc., etc stuff with the the rest of what's currently in the COS page for password security and we shouldn't have to worry about anyone guessing anything.
Keeps us out of the "Hey I've changed my IP Address and now can't to e-mail" schenario stuff.

Maybe easier, eh? <shrug>

Seems like a good idea though. Maybe take care Item #1 for you?

Scotty

[PNE]

"Enforce strong password" feature would be good, Zimbra is missing that. But I would still prefer solution that would allow mailbox access from defined IPs/subnets only. Also could be part of CoS.

For some kind of automated attacks trying to guess name/password sombination, strong passwords are still vulnerable. I do not know how long it would take for some kind of malicious software to guess password when account name is known. If it was 100 years, then OK. But I really do not know. At second, I do not like the idea that users, who use e-mail at office only, would be forced to use strong 10 character passwords. It is kinda upside down for me.

And of course big part is that your suggested solution may be quite easy do implement, in contrast to IP access filtering.