Results 1 to 6 of 6

Thread: captcha support for webmail interface?

  1. #1
    tiger2000 is offline Elite Member
    Join Date
    May 2008
    Location
    Taiwan
    Posts
    296
    Rep Power
    7

    Default captcha support for webmail interface?

    Dear all,

    is it possible to have captcha support when users login via Webmail interface?

    thanks.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Quote Originally Posted by tiger2000 View Post
    is it possible to have captcha support when users login via Webmail interface?
    Not unless you implement it or file an RFE in Bugzilla Main Page - Zimbra. Why do you think you need it? The implementation of good password policies should obviate the need for using captcha.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    ericjan is offline Starter Member
    Join Date
    Jul 2009
    Posts
    1
    Rep Power
    6

    Default

    The account locking mechanism will cause DoS when the hacker is guessing the password. I think CAPTCHA is a better solution.

    Regards,
    Eric

  4. #4
    dave_kempe is offline Partner (VAR/HSP)
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    291
    Rep Power
    9

    Default

    CAPTCHA would impose a very annoying restriction on normal users.
    You would be able to build something yourself I would imagine with a php app and authenticated reverse proxy anyway if you like.
    http://www.solutionsfirst.com.au/hosting/zimbra/
    Australia's premier Zimbra Hosting Partner
    Resellers wanted!

  5. #5
    tiger2000 is offline Elite Member
    Join Date
    May 2008
    Location
    Taiwan
    Posts
    296
    Rep Power
    7

    Default

    could you please elaborate some details on how to build that with a php program? any other reference/document i can check?

    thanks in advance.

  6. #6
    Dirk's Avatar
    Dirk is offline Moderator
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    There are multiple ways to defeat most captcha systems, and they offer a different type of protection to the auto password lock system.

    If someone is tryingto brute force one of your accounts, then having it lock out lets you know that something is amiss, the main admin shouldnt just go to the admin console and unlock the account, they should work out WHY the account was locked. Was it the user themselves keying in the password wrong, or was it a hacking attempt. The information gathered from that check is powerful.

    If someone is trying to brute force an account, and in addition to the username and password they need a captcha, then it's not likely to stop them, they could brute force the captcha or send it's details out to services that deal with them.

    If you do go ahead and impliment such a system, you'd need to be pretty secure in two things;
    1, that your code is good enough to always work, every time, no exceptions. You dont want a user to be keying everything in correcty and still be unable to connect,
    2, that the captcha system you use is unbreakable, you dont want to go to all this effort for a system thats trivial to defeat.

    I cant offer any help with the actual coding, but I'd imagine you could simply hijack the login process to show your own login system which would, once authenticate, call Zimbra's pre-authentication mechanisms to then automatically log the user in, there's lots of detail on this in the wiki's.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Paid Zimbra Support = Black Hole?
    By shuntphl in forum Migration
    Replies: 3
    Last Post: 08-04-2009, 02:23 PM
  2. External IM support for Web Interface
    By Mace in forum Developers
    Replies: 10
    Last Post: 04-03-2009, 07:31 AM
  3. Network edition and support.
    By Mike Scholes in forum Administrators
    Replies: 8
    Last Post: 01-23-2008, 04:56 AM
  4. Replies: 0
    Last Post: 01-17-2008, 08:54 AM
  5. Should I support the web-client only?
    By mmorse in forum Administrators
    Replies: 0
    Last Post: 10-30-2007, 12:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •