Limit the networks some users can connect from to the server

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
JavierCairus
Posts: 9
Joined: Tue Apr 02, 2019 7:35 pm

Limit the networks some users can connect from to the server

Post by JavierCairus »

Hello forum,

Hope I am not breaking (many :oops: ) rules posting this here, and also apologize in advance if this has being discussed other times or has a direct answer under official Zimbra documentation.
Maybe by the vocabulary that I am using, I am not being able to find answers to it with uncle Google.

We would like to limit the newtrok certain Zimbra users (all under the same domain), are able to login to the server (webmail and clients like Zimbra Desktop, Outlook) to receive and send mails through our server, not all of them, just specific accounts. So this users can only connect to the server within our local network in the enterprise.
We do not mean limitig the domains they are able to send/receive mails.

Is there a way to accomplish this?
Thank you all in advance :mrgreen:
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Limit the networks some users can connect from to the server

Post by JDunphy »

Slightly confused with the way you phrased this question so throwing out a few ideas. Have you considered mobile and the issues associated if that is a use case.

Do you have a list of all the networks/ip that represent your users? It sounds like you want only your enterprise network and it's associated ip's to have access to zimbra services like 443, 587, 995, 993, etc. That could be accomplished fairly easy with an ipset and 1 fw rule to allow access to services they should be granted.

Otherwise if you don't have all the addresses, a little bit of redirection could also get them there with something like adding a few cloud openvpn access servers and only trust those openvpn ip's for incoming access to your zimbra services outside your trusted space. This opens up a support issue since you are now on the hook for showing them how to use the access servers and load the appropriate app or software since it is a VPN but outside your network in the cloud. Fortunately, the credentials can be encapsulated in a single file representing each server. We encourage them to use this on their cell networks or when using wifi and the solution also protects them from some other types of attacks. Provided you run these things fast and provide a few for different geo locations, it can be embraced. Ours come up in 1-2 seconds with a single click. I should note that I run the access servers at 443 since more and more places are blocking outgoing connections. ie) pop3s and imaps won't work anyway so they appreciate the option if they are using MUA's. Here are a few other ideas we were talking about earlier in the week.

viewtopic.php?f=15&t=65950#p289513

Other odd ideas are port knocking where you give the users an app which goes after a certain pattern of ports on your zimbra server (much like a combination lock that you can set or change)... When the app hits the appropriate ports, you automatically allow that ip address incoming access to zimbra services, etc. I am not aware of a prebuilt solution but it could be done fairly easily with a script looking for the port pattern and then adding that users ip address to an ipset. I would create the ipset with a 24 hour expiration so the ip gets removed automatically. This is not a replacement for trusted ip's inside your network but just another layer to allow access to your zimbra services for external users because your services are off by default to anyone other than trusted address space.

hmmm... sometimes I wonder if an ipset is my hammer. Everything looks like a nail. :-) There are probably other solutions that are not FW specific.

Ref: http://portknocking.org/
JavierCairus
Posts: 9
Joined: Tue Apr 02, 2019 7:35 pm

Re: Limit the networks some users can connect from to the server

Post by JavierCairus »

Thanks for your feedback JD.

I was looking into an application aproach for the case stated, something that could be accomplished within Zimbra.
As you mentioned, managing all the access from all the clients could be done in many ways mostly with firewall or networking solutions.
But the thing is, I want to let user A check his email from anywhere, but user B just from the entreprise LAN. Maybe expressed that way is simpler to understand. (Sorry, English is my second language). Thats why I was investigating a "Zimbra
solution" if it exists any.

Thank you again!
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Limit the networks some users can connect from to the server

Post by JDunphy »

JavierCairus wrote: But the thing is, I want to let user A check his email from anywhere, but user B just from the entreprise LAN. Maybe expressed that way is simpler to understand. (Sorry, English is my second language). Thats why I was investigating a "Zimbra
solution" if it exists any.
I completely misunderstood your question. To use a basketball analogy, "air ball" on my part. LOL

Look here to read about those features per user in the section customizing accounts... https://zimbra.github.io/adminguide/lat ... g_accounts. This will allow you to control user access with MUA's but the web is still available.
The issue is that the web interface is how they change passwords, control filters, update their preferences, etc.

If this was important, you might get around that limitation by enabling and setting a 2FA on accounts that you don't want them to have web access which would prevent them to successfully authenticate but it would be quite a kludge to do this with 2FA...not to mention you are on the hook for trusted devices and all other preferences for their account if you take away their web interface. I don't see any barriers to preventing you from accomplishing your goals if you don't want to use firewalls and want a "zimbra only solution" as you say.
JavierCairus
Posts: 9
Joined: Tue Apr 02, 2019 7:35 pm

Re: Limit the networks some users can connect from to the server

Post by JavierCairus »

Thanks again JD, will read thourgh the link provided and let you know if I found what I was looking for.

Best regards!
tim_ba
Advanced member
Advanced member
Posts: 62
Joined: Sat Sep 13, 2014 12:10 am

Re: Limit the networks some users can connect from to the server

Post by tim_ba »

Javier, did you find a solution? Asking because I need this too. Some accounts are attacked and a solution would be to limit them to local IP.
Post Reply