z-push behind Basic authentication

Hi *!

I know, it’s more a question on the ActiveSync Client than on z-push, but I hope I get an answer anyway: is it possible to hide z-push behind a Basic authentication?

Currently, I use z-push with Zarafa in my Intranet only. I’m not too happy exposing it directly to the Internet, so I’d like to put a reverse Proxy ahead of z-push, but this requires Basic authentication.

Do you belive I can make this work? Is it known that ActiveSync Clients must Support Basic autentication, or is ActiveSync designed to never be behind another authentication?

Thank You!

I am by all means not an expert on the subject, but I can’t see anything in my mobile phone (android) that suggests any other type of authentication other than what’s in the activesync protocol.

I have indeed z-push exposed externally as I have no other way to do it.

That’s indeed what I see, too. My ActiveSync Client Software (MS Office, Nine) does not have a field for pre-authentication to the AS server. So I have to assume, pre-authentication is simply not part of ActiveSync. Probably, my only chance is to force requesting a client certificate. I have to look in the docs if this can be done…

Thank you anyway!

I still don’t understand why you are nervous about exposing z-push outside though.

If it goes via SSL (that is port 443) and requires authentication to log in (i.e. the Kopano username and passoword) the worse that can happen is that someone finds out the password of that particular kopano user?

But still that would be one user only, not the entire company.

And plus users should be careful with their passwords!

It isn’t dissimilar from Office 365 or whatever… they too have to allow for this…

Hello @itserv ,

for a matter of fact ActiveSync clients already use Basic Auth to login to the server. That is how authentication is supposed to work. If it makes you feel better, you could add an additional layer of basic auth in the webserver, but this will only work if this uses the same credentials as kopano (which can be done if you use ldap for login).

For an additional layer of security ssl client certificates could be used. the downside of this is that not all clients do support that.

Thank you, Felix.

I’ll probably go with the client certificates.

I run my Zarafa server behind a authenticating reverse proxy, as I want to reduce the attack surface of my company. For that reason, I’d like to protect z-push too. Client certs seem to be a fair chance.


As @fbartels pointed out - you can do this using LDAP

In my case - I use AD to authenticate the users. I have created an AD Group called SyncUsers and I add those who are allowed to sync devices to that group

I defined 2 authorization aliases for LDAP - one for full email and the other for username - to cover the two ways a device might have a user identifier configured

# Define authentication providers
<AuthnProviderAlias ldap adSyncuserByUsername>
        AuthLDAPBindDN apache_auth@domain.mine
        AuthLDAPBindPassword "password"
	AuthLDAPURL "ldap://DC1.domain.mine:3268 DC2.domain.mine:3268/?sAMAccountName?sub?(memberOf=cn=SyncUsers,cn=Users,dc=domain,dc=mine)"

<AuthnProviderAlias ldap adSyncuserByEmail>
        AuthLDAPBindDN apache_auth@domain.mine
        AuthLDAPBindPassword "password"
        AuthLDAPURL "ldap://DC1.domain.mine:3268 DC2.domain.mine:3268/?userPrincipalName?sub?(memberOf=cn=SyncUsers,cn=Users,dc=domain,dc=mine)"

<Location /Microsoft-Server-ActiveSync>
        AuthName "Secured Area AS"
        AuthType Basic
        AuthBasicProvider adSyncuserByUsername adSyncuserByEmail 
        # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
        AuthUserFile /dev/null
        Require valid-user
        Require all denied

The device will automatically pass over the authorization

Hi @liverpoolfcfan ,

I am actually not totally sure if the possibility to login via both email and username is something specific to your Zimbra backend.

That being said, I have used the following for quite a while with my setup:

AuthName "Please login with your credentials"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "Benutzer-mit-Lesezugriff"
AuthLDAPBindPassword "ldap-password"
AuthLDAPURL ldap://,dc=local?uid?sub?(&(objectclass=kopano-user)(kopanoEnabledFeatures=z-push))
AuthUserFile /dev/null
require valid-user

The original idea for why I used this is obsolete by now (Z-Push detects enabledfeatures directly now).

But then again: you already get a basic auth dialogue, when opening z-push, so I am not really convinced this adds much more security.

The benefit is that it blocks unauthorized persons at the web server level without needing to start a z-push session at all

Felix, liverpoolfcfan,

thank you very much, this is awesome and gives another layer of security, as the block will be before accessing z-push at all.