Zimbra behind NAT firewall
Here is how my server is configured:
linux1 = NAT Firewall
zimbra = Zimbra Server
linux1 uses iptables to forward following ports:
25 -> zimbra:25
8080 -> zimbra:80
2222 -> zimbra:22
linux1 runs it's own webserver (apache2) on port 80.
192.168.11.3 is zimbra server IP address. I have masked linux1 server's external IP address with x.x.x.x for privacy.
root@linux1 # iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere X.X.X.X tcp dpt:8080 to:192.168.11.3:80
DNAT tcp -- anywhere X.X.X.X tcp dpt:25 to:192.168.11.3:25
DNAT tcp -- anywhere X.X.X.X tcp dpt:2222 to:192.168.11.3:22
Zimbra is working fine when accessed from LAN as zimbra.lan. However I am unable to access Zimbra server from outside.
With the port 8080 on linux1 (which is also visible as mydomain.com from internet) being forwarded to port 80 on zimbra, I was expecting that visiting http://mydomain.com:8080 from outside network, would enable me to access the web mail. As expected the login page shows correctly, but after I enter userid/password, it shows
"An unexpected error has occurred. Please correct any errors and retry. If the problem persists please contact your System Administrator. (service.FAILURE)"
Can you please help?
Solved with Apache mod_proxy
Here's how I have solved this problem, without changing ANYTHING on the zimbra server. The only thing I did was add a NameVirtualHost on apache running on the linux1 box and use mod_proxy for forwards.
I added a new sub-domain webmail.mydomain.com. This is a CNAME entry and points to the same server mydomain.com (or linux1 on my LAN).
Here's how the config looks:
'lan' is my local intranet domain. I run a local DNS for my intranet. Hence I don't have to use IP addresses in the ProxyPass.
You need mod_proxy module enabled for apache (on linux1).
On linux1 box (which also hosts my web server for *.mydomain.com)
As stated earlier, zimbra.lan server is not visible directly from outside.
ScriptAlias /cgi-bin /var/www/www.mydomain.com/cgi-bin
# Redirect traffic to/from webmail.mydomain.com to zimbra.lan
ProxyPass / http://zimbra.lan/
ProxyPassReverse / http://zimbra.lan/
I am now forwarding ports 25 and 993 (only IMAPS) from the outside world to zimbra.lan using bastille-firewall(iptables) on linux1. I am able to send and receive mail fine. The web mail interface works like a charm with this setup.
This way I didn't have to change ports of any of my existing sites and I get to use full functionality of Zimbra server without modifying the default configuration.
The beauty of this setup is I can still keep using my SquirrelMail (which I run on www.mydomain.com/squirrelmail) and only change its config to use the zimbra.lan IMAP server instead.
I have seen so much discussion on this forum on the forwarding issue, and I hope many people will find this kind of setup useful.
Thanks to all who helped me with this.
Zimbra Rocks! :D