Deactive webmail (HIPPA Reasons)

[altimage]

I have a client who would like to allow users to access zimbra only through Outlook (no webmail). I can't find anywhere where it's an option.

Alternately, can I force a specific domain to access the webmail only through https while allowing everyone else to get in through http?

They're needing this for HIPPA compliance. Our regular configuration allows users to access through either http or https and I really can't force all 2000 other users to have to start using https just because of this one client's compliance requirements.

Any suggestions?

thanks,
altimage

[dipeshmehta]

You may vote for this feature here: Bug 16099 – disable webmail access to particular user/domain

[LMStone]

Quote:

Originally Posted by altimage

I have a client who would like to allow users to access zimbra only through Outlook (no webmail). I can't find anywhere where it's an option.

Alternately, can I force a specific domain to access the webmail only through https while allowing everyone else to get in through http?

They're needing this for HIPPA compliance. Our regular configuration allows users to access through either http or https and I really can't force all 2000 other users to have to start using https just because of this one client's compliance requirements.

Any suggestions?

thanks,
altimage

I think you'll find that the HIPAA Security Rule is fine with web access, provided however that the transmission is encrypted end to end.

If you configure your Zimbra server to force users from http to https you should be OK.

Alternatively, you could just block ports 80 and 443 and the firewall to stop all web access.

I'm surprised at the requirement for Outlook; many users will turn off ssl/tls when they have any sort of connectivity options; you can't control that like you can the Zimbra https redirect, so it's a bit confusing why your practice wants to do things that way.

FWIW, we take care of a number of medical practices on our manged services side, plus we've also configured our Zimbra farm to be HIPAA compliant. Not pitching here, just letting you know that you have options with Zimbra.

One other easy way to break HIPAA compliance with Outlook is forwarding, again, which you can control in Zimbra but not in Outlook. The practitioner sets up an Outlook rule to forward emails to their ISP's home email account. Many ISP's email servers won't do server-to-server TLS, so the forwarding is done unencrypted, leading to a defacto HIPAA violation.

We actually encourage our practices to drop Outlook, so as to make enforcing HIPAA compliance easier with Zimbra.

Hope that helps,
Mark