Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Prevent External Access from outside LAN

  1. #1
    Join Date
    Apr 2009
    Location
    Calgary, Alberta
    Posts
    31
    Rep Power
    6

    Default Prevent External Access from outside LAN

    Hello,

    I have come across several posts that restrict users from certain external resources, but haven't quite found info on my particular situation. That being...

    We have one Zimbra server with an internal IP and external IP with no firewall in place between email and internet. What I am looking to do is stop web access for any one that is not coming from an IP on our LAN or connecting to our LAN through a VPN. Internal users should be able to send internally as well as externally, but users sitting at home with no VPN will not have access to their email. Our current version of Zimbra is 5.0.4.

    As this is something I've never considered before, can someone begin pointing me in the right direction? I would prefer not to implement other hardware to incorporate this change if not necessary.

    Sir Bob

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Does your router not even have a basic firewall ? How are they VPN'ing in ?

  3. #3
    Join Date
    Apr 2009
    Location
    Calgary, Alberta
    Posts
    31
    Rep Power
    6

    Default

    Hello, and thanks for the quick response.

    We have firewalls in place for each internet cct (one for general surfing and one for site to site and client VPN activity) with DNS being done internally. Internal users connect to the private IP when accessing email though external users access the public IP. This is what we want to prevent, due to a recent "issue" with a spammer.

    I realize that exposing the email server to the internet without a firewall in place is not the most responsible thing to do. VPNs come through our firewall to the VPN server, which allows access to the LAN. This is an old network and many things were not implemented properly when first installed. Changes are on the way, but change is slow and the list is long....

    Sir Bob

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Are you external users on static IP's?

  5. #5
    Join Date
    Apr 2009
    Location
    Calgary, Alberta
    Posts
    31
    Rep Power
    6

    Default

    External users do not have static IPs. Most people accessing the email from the outside are travelling or work from home with DHCP assigned IPs. All external users though do have VPNs to connect.

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Sorry, i must be So who does connect to the external IP for the web client ? anybody ? or do you just want to allow SMTP traffic to your server ?

  7. #7
    Join Date
    Apr 2009
    Location
    Calgary, Alberta
    Posts
    31
    Rep Power
    6

    Default

    Hi and probably I could be explaining this a little more clearly.

    Most users from home access their emails from the public IP (external DNS through EasyDNS), without the use of their VPN (typically only used to gain access to network shares).

    What I am trying to achieve is that external users will only have access to their email by using the VPN connection. If they try to connect without the VPN connected, then they will not get email. We do have one client located overseas that can not use the VPN due to external issues. Once configured, they should not have access to email, but this issue will be dealt with using other means.

    In short, no one gets access to the email through the public IP. Only through the VPN assigned IP and the LAN will email be available. Hope this clears the muddy waters I've created.

  8. #8
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    ultimately it comes down to is there ip acl's built in to the zimbra services? no, there isn't. there may be some way to restrict via ip in jetty but it would be unadviseable to modify it there because it won't survive upgrade and could cause problems.

    teh best solution if you don't have a firewall is to run firewall rules on the server itself with iptables.

  9. #9
    Join Date
    Mar 2010
    Posts
    1
    Rep Power
    0

    Default

    did you ever get this resolved?

  10. #10
    Join Date
    Apr 2009
    Location
    Calgary, Alberta
    Posts
    31
    Rep Power
    6

    Default

    Hello,

    We have since moved on and up from this and have things working in a different configuration.

    SirBob

Similar Threads

  1. Restricting external access
    By EiZ in forum Administrators
    Replies: 9
    Last Post: 02-08-2012, 12:01 PM
  2. only allow mail access from LAN for certain accounts
    By aurfalien in forum Administrators
    Replies: 2
    Last Post: 06-09-2009, 10:17 AM
  3. [SOLVED] LDAP bind, not access from lan IP
    By bart in forum Administrators
    Replies: 3
    Last Post: 02-27-2009, 12:56 AM
  4. Internal Access to External Domain Name
    By CharlieDavi in forum Administrators
    Replies: 4
    Last Post: 11-24-2008, 06:51 AM
  5. Disabling external POP/IMAP access
    By theklone in forum Administrators
    Replies: 1
    Last Post: 05-22-2008, 02:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •