Zimbra Wall
A server for blocking users to access Zimbra CS.
This software is used to intercept and apply modifications to the traffic between a Zimbra Proxy and Zimbra Mailboxes. If you don't know what a Zimbra Proxy is, You can read about it here: https://wiki.zimbra.com/wiki/Zimbra_Proxy_Guide
This work for all kind of client access:
- POP3
- IMAP
- Webmail
- ActiveSync
- Zimbra Outlook Connector
Use cases
You need to deny access to some users from Internet.
How it works
Zimbra Wall reads a map file, a YAML
file, in which you indicate the pair email:zimbraID
of the users you want to block
Based on this information, Zimbra Wall
tell the Zimbra Proxy to deny access to the user.
Instalation and configuration
Requirements
This has been tested with:
- Zimbra >= 8.5
- Ruby >= 1.93
- Bundler >= 1.3
- Zimbra Proxy
You need to have direct access to the 7072
port of both Mailboxes.
Installation
It's recommended to install it on the same Zimbra Proxy server. All you need to do is run:
$ gem install bundler
$ gem install zimbra_wall
Zimbra Proxy Modification
Important Note You are going to modify Zimbra template files, used to build the configuration files of Nginx. Take some backups!!
- All the files are located in
/opt/zimbra/conf/nginx/templates
. -
<
, config being replaced -
>
, new config
You have to make this modifications
# nginx.conf.web.template
< ${web.login.upstream.disable} ${web.upstream.loginserver.:servers}
< ${web.login.upstream.disable} ${web.ssl.upstream.loginserver.:servers}
---
>
> ${web.login.upstream.disable} server localhost:9292 fail_timeout=60s version=8.6.0_GA_1153;
> ${web.login.upstream.disable} server localhost:9292 fail_timeout=60s version=8.6.0_GA_1153;
# nginx.conf.zmlookup.template
< zm_lookup_handlers ${zmlookup.:handlers};
---
> zm_lookup_handlers localhost:9292/service/extension/nginx-lookup;
Next restart. You should restart memcached and nginx, but just to be sure:
$ zmcontrol restart
Starting Zimbra Wall
$ bundle exec bin/zimbra_wall -d zboxapp.dev -f /tmp/users.yml -m 192.168.50.10 -a 0.0.0.0 -p 9292 --mailbox-port 8080
Options
-
-d
, the domain, in case the user only enters the username, -
-m
, One of the mailboxes, -
-f
, theYAML
map file, with the list of users on the--newmailbox
, -
-p
, the bind port -
-a
, the bind address -
--mailbox-port
, the mailbox port
The Map File
It's a simple YAML file with a email:zimbraId
pair, like
max@example.com: "7b562c60-be97-0132-9a66-482a1423458f"
moliery@example.com: "7b562ce0-be97-0132-9a66-482a1423458f"
watson@example.com: "251b1902-2250-4477-bdd1-8a101f7e7e4e"
sherlock@example.com: "7b562dd0-be97-0132-9a66-482a1423458f"
Updating the file does not require a restart.
You can get the zimbraId
with:
$ zmprov ga watson@example.com zimbraId
Error in Map File
If you have an error in your file, Zimbra Wall
will return the on memory Map, this way we can keep the service up. In this event you should see this on STDOUT
:
ERROR Yaml File: (./test/fixtures/users.yml): could not find expected ':' while scanning a simple key at line 7
Init scripts
In the examples
directory you have the following files:
-
zimbra_wall
, to start the server on port 9292
Copy the file to the /etc/init.d/
directory and then enable the services like this:
$ chkconfig --add zimbra_wall
Monit
It may be posible that this crash for some reason, it's a new software after all. To reduce the down time we recomend to use Monit to monitor and restart Zimbra Wall
in case of trouble.
Check the examples directory for config files.
Thanks
- To the Zimbra folks for a great product, and
- @igrigorik for em-proxy
Contributing
- Fork it ( https://github.com/pbruna/zimbra_intercepting_proxy/fork )
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create a new Pull Request