We're hosting several domains on our infrastructure, exchange and blackberry hosting included.
Some of our clients have a direct vpn-connection into our datacenter because it's needed for their applications.
And this causes following problem:
Some Outlook clients connect to our exchange-server via direct mapi (tcp/ip - not via rpc over http) and that causes, that they can see every mail-address from other domains.
That's why we want to avoid users from connecting their clients directly via tcp/ip. They should only connect via rpc over http. Is there any whay to accomplish this without avoiding our BlackBerry Enterprise Server to connect to our exchange?
You can configure Oulook to prefer RPC/HTTPS connections instead of direct RPC even if it's available, but if I understand your question correctly, those are external clients and you don't manage them, so it would be left to the users to configure it correctly.
You can't disable MAPI access on the Exchange server, as it would block "true" internal users and MAPI services/applications (like BES).
Your only option is blocking traffic. I don't know what are you using as a VPN endpoint, but most devices can apply firewall policies to VPN traffic; just block direct access from the VPN clients to the Exchange servers and you should be fine. If you can't do this on the VPN endpoint, then your other option is configuring Windows Firewall on the Exchange servers to do the same.