Results 1 to 8 of 8

Thread: Filtering user access per account

  1. #1
    PNE
    PNE is offline Loyal Member
    Join Date
    Mar 2006
    Location
    Czech Republic
    Posts
    81
    Rep Power
    9

    Default Filtering user access per account

    It is maybe too much I'm asking for but anyway I'll try it. Is there a way to filter users' access to their mailboxes based on account and IP adress? For example:

    user1 can access his mailbox from local subnets only
    user2 can access his mailbox from local subnets and/or another specified public IP
    user3 can access his mailbox from everywhere

    Why would I want this? Most of my users for sure do not need to access their mailboxes when out of office. Some of them are at remote location (with static IP) and so they need access just from their IP and rest of them are travelling a lot and need access from everywhere. When I open POP3/IMAP/HTTPS at firewall it is for everyone and there are some security concerns. Even when "secure ports" are used so passwords exchange is protected, there is no protection when attacker tries to guess users' password and succeeds. If only selected account were accessible from the outside, the risk would be lower.

  2. #2
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    There is no way in Zimbra itself to control this. Most people who need this level of control will close all ports to the outside and then use a VPN to allow only certain user's access. This kind of fine ACL control at the network level is outside the scope of Zimbra itself.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    scottnelson is offline Special Member
    Join Date
    Jun 2006
    Location
    Washington DC
    Posts
    124
    Rep Power
    9

    Default

    If you have "TLS" only checked and SMTP Auth is on by default, you should be good to go security-wise anyway.

    We have gone a step further and blocked everything except for tcp-25 ( SMTP ), DNS and VPN, on the firewalls for incoming connections from anything that is not based in US so, you could do that can gain some extra security if you want. Why block at one device when you can block for all your devices at a single point?
    YMMV I guess. :-)

    I tried to do what you are trying to do on our mail servers at one point in time and it got too messy after while, as there was always someone on vacation, at a hotel lobby, etc., that needed access and I would have to add their IP Address or network, to the mail server for access and then restart the service EACH TIME I made a change. Got old after a while.
    Plus by doing this on the main border firewall anyway, you can track and block script kiddies for the whole internal network easier anyway.

    I agree with the VPN suggestion if you really want to get double authentication and stop the "pass-by scans" by script kiddies but it does take more work in both knowing how to run it and client software support issues always arrise so, it's not a "white horse" by any means.

    We block all non-us network ranges at the main firewall for everything except for SMTP, DNS and VPN stuff. If someone goes to another country, they can still VPN in using AES-256 level encryption and get everything that way. So far it's worked out OK and no more "mad have-to-have-it-now" changes to the mail server in the middle of the business day kinda stuff.

    Looking at the whole Zimbra package I'm not sure why, assuming TLS only checked and SMTP auth is not circumvented, you would want to restrict it in that manner anyway really, other than the way we do it above.

    Net Ranges starting point for weeding out by country can be found here:
    http://www.completewhois.com/statistics/index.htm
    and of course http://www.arin.net

    Anyway, all IMHO, YMMV, etc., etc. ;-)

    Scotty

  4. #4
    PNE
    PNE is offline Loyal Member
    Join Date
    Mar 2006
    Location
    Czech Republic
    Posts
    81
    Rep Power
    9

    Default

    Thank for your responses. In fact we are already using VPN and it is satisfying. VPN use is quite restrictive here (only from authorized computers + smartcards) and I just wanted to loosen mail access a little bit. Filtering by country is no option for us as our commercial staff is travelling really a lot. And I am not very surprised that Zimbra will not add such a feature as Kevin wrote. I just hoped that someone already had solved it at mail server level.

  5. #5
    scottnelson is offline Special Member
    Join Date
    Jun 2006
    Location
    Washington DC
    Posts
    124
    Rep Power
    9

    Default

    Quote Originally Posted by PNE
    Thank for your responses. In fact we are already using VPN and it is satisfying. VPN use is quite restrictive here (only from authorized computers + smartcards) and I just wanted to loosen mail access a little bit. Filtering by country is no option for us as our commercial staff is travelling really a lot. And I am not very surprised that Zimbra will not add such a feature as Kevin wrote. I just hoped that someone already had solved it at mail server level.
    It's probably not high on Zimbra's list of things to do.
    Why can't you just restrict your remote users IP Addresses on the Internet firewall?
    Are you users really not that trustworthy?
    I am not sure I follow what you are trying to do here really I guess.
    Is user1 attempting to read/access user2's mail?
    If so, not sure it's a technical issue really? ;-)
    If this is the case, it may help to modify the preferences in the 'Class of Service' section, 'advanced' so that the users have to:

    1. maybe set the minimum password length/age/ to something higher
    2. enable password history
    3. set session idle timout to something lower

    My point is, I am not sure what security risk you are trying to protect against really.
    Non-emloyee logins from outside your network or your own users hacking each others e-mails.

    Feel free to correct me if I totally missed what you are saying. ;-)

    Being a network and firewall security person for more than 15+ years and not a sys/mail admin really, it makes more sense to me to do it at the firewall or router access list level, than to have to make changes on the server, by IP Address whenever there are moves/adds or changes and which would require me to restart a service or services on the mail server interupting access to all of the other users so that the change would take effect.

    disclaimer: I still could be missing your security requirement. :-)

    Scotty

  6. #6
    PNE
    PNE is offline Loyal Member
    Join Date
    Mar 2006
    Location
    Czech Republic
    Posts
    81
    Rep Power
    9

    Default

    Scotty,

    1. Majority of our users (Group1) does not need e-mail access from outside world at all.

    2. Another part (Group 2) is travelling a lot around the world and they need access from ANY location, so there is no need for any kind of IP filtering at any level. Just free access from everywhere, no settings on firewall or mailserver.

    3. Remaining users (Group 3) are at remote office with static IP and it of course can be solved by firewall filter, no doubt about it and we can consider it solved.

    My concerns are about any attacker who would try to guess username/password and then get into mailbox. If all mailboxes are accesible, and they all need to be for Group2 to have access, all mailboxes are at some risk. There is still a little chance that attacker may succeed - even when passwords are strong (but Zimbra cannot really force it, if I decide to have easy password who can deny me?) and often changed. Of course I know that every public e-mail server takes such risk.

    If some mailboxes (Group 1) would be set to no access from outside at mailserver level using some kind of local subnets parameter, just as postfix uses for relaying, the risk would be narrowed down to Group2 mailboxes. For Group2 people I do not want do manage any kind of allowed IPs at firewall level. I do not know where they will sleep next night, it would be an overkill. Just as your experience has been.

    Hope it is clearer soon, sorry for my English.

  7. #7
    scottnelson is offline Special Member
    Join Date
    Jun 2006
    Location
    Washington DC
    Posts
    124
    Rep Power
    9

    Default

    Hm, so 2 and 3 seem OK or solved.

    How many users fitting Item #1 above are we talking about?

    If all you're ( and me as well ) are worried about is password cracking or password guessing then maybe a another way, I just submitted to Zimbra a request via bugzilla, ( Bug/Feature request 8470 ) to add checkbox under "Class Of Service" , "Advanced" that when checked, forces user(s) to provide a complex password and not something that can be guessed. ( IE: Must have/contain special characters, at lease one upper and one lower case letter, one number, etc., etc. )

    Then just set the minimum length, .,etc., etc stuff with the the rest of what's currently in the COS page for password security and we shouldn't have to worry about anyone guessing anything.
    Keeps us out of the "Hey I've changed my IP Address and now can't to e-mail" schenario stuff.

    Maybe easier, eh? <shrug>

    Seems like a good idea though. Maybe take care Item #1 for you?

    Scotty

  8. #8
    PNE
    PNE is offline Loyal Member
    Join Date
    Mar 2006
    Location
    Czech Republic
    Posts
    81
    Rep Power
    9

    Default

    "Enforce strong password" feature would be good, Zimbra is missing that. But I would still prefer solution that would allow mailbox access from defined IPs/subnets only. Also could be part of CoS.

    For some kind of automated attacks trying to guess name/password sombination, strong passwords are still vulnerable. I do not know how long it would take for some kind of malicious software to guess password when account name is known. If it was 100 years, then OK. But I really do not know. At second, I do not like the idea that users, who use e-mail at office only, would be forced to use strong 10 character passwords. It is kinda upside down for me.

    And of course big part is that your suggested solution may be quite easy do implement, in contrast to IP access filtering.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  3. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 10:34 PM
  4. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •