[horde] Blocking Active Sync Client

Jan Schneider jan at horde.org
Fri Mar 13 14:38:43 UTC 2015 

Zitat von Arjen de Korte <arjen+horde at de-korte.org>:

> Citeren Jan Schneider <jan at horde.org>:
>
>> Zitat von Samuel Wolf <samuel at sheepflock.de>:
>>
>>> Zitat von Klaus Steinberger <klaus.steinberger at physik.uni-muenchen.de>:
>>>
>>>> Hi,
>>>>
>>>> we want to block for all users some types of Client. Especially the
>>>> Microsoft/Accompli  Outlook App.
>>>>
>>>> I can block a client for a single user after he has connected,  
>>>> but I want to
>>>> block this App for any user and forever.
>>>>
>>>> Reason:  The APP doesn't access Actice Sync directly, instead  
>>>> they use a bunch
>>>> of servers at the Amazon Cloud. The bad thing is that the password will be
>>>> stored at the Amazon Cloud.
>>>>
>>>>
>>>> The App (or better the servers behind) show up like this (the ID is user
>>>> dependent):
>>>>
>>>>
>>>> Id: 289C17FE1CA68940
>>>> Policy Key: 0
>>>> Programm: Outlook-iOS-Android/1.0
>>>> Modell: Outlook for iOS and Android
>>>> Eindeutiger Name: Outlook for iOS and Android
>>>> OS: Outlook for iOS and Android 1.0
>>>> EAS Version: 14.1
>>>> Gespeicherter Heartbeat (Sekunden): 540
>>>>
>>>> Sincerly,
>>>> Klaus
>>>>
>>>> - --
>>>> Rechnerbetriebsgruppe / IT, Fakultät für Physik
>>>> Klaus Steinberger
>>>> FAX: +49 89 28914280
>>>> Tel: +49 89 28914287--
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>> Hi Klaus,
>>>
>>> not exactly what you want, but may be a idea.
>>> I allow only special clients via Apache config:
>>>
>>> ##########################################################################
>>>       <Directory /var/www/https/horde/>
>>>               Order Deny,Allow
>>>               Deny from All
>>>
>>>       <Files "rpc.php">
>>> 	SetEnvIf User-Agent "Android/4.0.4-EAS-1.3" smartphone
>>> 	SetEnvIf User-Agent "motorola-XT910/1.0" smartphone
>>> 	SetEnvIf User-Agent "motorola-XT890/1.0" smartphone
>>> 	SetEnvIf User-Agent "Android/4.1.1-EAS-1.3" smartphone
>>>       SetEnvIf User-Agent "Android/5.0.2-EAS-2.0" smartphone
>>>       Order Deny,Allow
>>>       Deny from All
>>> 	Allow from env=smartphone
>>>       </Files>
>>>
>>>       </Directory>
>>> ##########################################################################
>>>
>>> Samuel
>>>
>>> -- 
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>> Alternatively you can create a preauthenticate hook that sniffs on  
>> the global $browser object.
>
> I don't think either of these solutions will prevent from happing  
> what the topic starter intends to do. The username and password may  
> have been stored in the Amazon Cloud before the connection is made  
> (and probably even if the connection fails).
>
> To make sure that the username/password combinations can't be  
> abused, you'd need to block user accounts once you find that they  
> are accessed through this service, rather than just blocking  
> ActiveSync sessions (the damage has been done already by that time).

That's what a preauthenticate hook does.

> Be sure to inform your users (and helpdesk) about this policy, since  
> my guess is that this will lead to users calling support why their  
> accounts have been blocked.

Indeed. I'm not sure if we destroy the session after a failing  
preauthenticate hook, but if not, he can push a $notification in the  
hook too.

-- 
Jan Schneider
The Horde Project
http://www.horde.org/
https://www.facebook.com/hordeproject

More information about the horde mailing list