Zimbra behind NAT firewall

[amitbapat]

Here is how my server is configured:

linux1 = NAT Firewall
zimbra = Zimbra Server

linux1 uses iptables to forward following ports:
25 -> zimbra:25
8080 -> zimbra:80
2222 -> zimbra:22
linux1 runs it's own webserver (apache2) on port 80.

Code:

root@linux1 # iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             X.X.X.X       tcp dpt:8080 to:192.168.11.3:80
DNAT       tcp  --  anywhere             X.X.X.X       tcp dpt:25 to:192.168.11.3:25
DNAT       tcp  --  anywhere             X.X.X.X       tcp dpt:2222 to:192.168.11.3:22

192.168.11.3 is zimbra server IP address. I have masked linux1 server's external IP address with x.x.x.x for privacy.

Zimbra is working fine when accessed from LAN as zimbra.lan. However I am unable to access Zimbra server from outside.

With the port 8080 on linux1 (which is also visible as mydomain.com from internet) being forwarded to port 80 on zimbra, I was expecting that visiting http://mydomain.com:8080 from outside network, would enable me to access the web mail. As expected the login page shows correctly, but after I enter userid/password, it shows

"An unexpected error has occurred. Please correct any errors and retry. If the problem persists please contact your System Administrator. (service.FAILURE)"

Can you please help?

[amitbapat]

Sorry for replying to my own post, the zimbra version I'm running is 3.0.0_M3_436.FC4-20060106155236

[marcmac]

So, after you log in, the zimbra server redirects your browser back to
http://hostname/zimbra/mail - which is failing, since you're not on port 80 - so, after you log in, you can manually add :8080 to the url:
http://hostname:8080/zimbra/mail - that should let you in.

That's a temporary solution, tho - if that works, add the proxyPort=8080 directive to /opt/zimbra/tomcat/conv/server.xml in the http connector section, and restart tomcat - that should get you going.

[amitbapat]

I think the request never reaches the zimbra server to login, something fails even before doing authentication on the server side.

After logging in from http://mydomain.com:8080/ page I tried manually entering http://mydomain.com:8080/zimbra/mail and it takes me back to http://mydomain.com:8080/zimbra and shows an empty login screen.

[amitbapat]

I added proxyPort="8080" in /opt/zimbra/tomcat/conf/server.xml, login stil fails with same error.

Code:

  <Service name="Catalina">
    <!-- user services connector, no SSL -->
        <!-- HTTPBEGIN -->
    <Connector port="80"
        enableLookups="false" redirectPort="443"
        maxThreads="100" minSpareThreads="100" maxSpareThreads="100" proxyPort="8080" />
<!-- HTTPEND -->
    <!-- user services connector, SSL -->
:
:

[marcmac]

Any errors in /var/log/zimbra.log?

[amitbapat]

I stopped the apache2 on my linux1 box, and forwarded port 80 to zimbra box, in this case everything works as expected.

This tells me that if zimbra server is on same port (80 in this case) as the forwarded port, zimbra has no problems.

Is it possible to move the zimbra server to port 8080? How do I do that?

Thanks
amit

[marcmac]

search the forums, it's been covered.

[FunkyPenguin]

amitbapat,

What about using https to access the Zimbra web UI? that way you can leave your web server as is using port 80, and then you just access it by https://yourdomain.com

If you want to use https have a look here it is painless, honest

[amitbapat]

Here's how I have solved this problem, without changing ANYTHING on the zimbra server. The only thing I did was add a NameVirtualHost on apache running on the linux1 box and use mod_proxy for forwards.

I added a new sub-domain webmail.mydomain.com. This is a CNAME entry and points to the same server mydomain.com (or linux1 on my LAN).

Here's how the config looks:
'lan' is my local intranet domain. I run a local DNS for my intranet. Hence I don't have to use IP addresses in the ProxyPass.
You need mod_proxy module enabled for apache (on linux1).
On linux1 box (which also hosts my web server for *.mydomain.com)

Code:

UseCanonicalName Off
NameVirtualHost *:80

<VirtualHost *:80>
ServerName www.mydomain.com
DocumentRoot /var/www/www.mydomain.com/htdocs
ScriptAlias /cgi-bin /var/www/www.mydomain.com/cgi-bin
</VirtualHost>
:
:
# Redirect traffic to/from webmail.mydomain.com to zimbra.lan
<VirtualHost *:80>
ServerName webmail.mydomain.com
ProxyPass / http://zimbra.lan/
ProxyPassReverse / http://zimbra.lan/
</VirtualHost>

As stated earlier, zimbra.lan server is not visible directly from outside.
I am now forwarding ports 25 and 993 (only IMAPS) from the outside world to zimbra.lan using bastille-firewall(iptables) on linux1. I am able to send and receive mail fine. The web mail interface works like a charm with this setup.

This way I didn't have to change ports of any of my existing sites and I get to use full functionality of Zimbra server without modifying the default configuration.

The beauty of this setup is I can still keep using my SquirrelMail (which I run on www.mydomain.com/squirrelmail) and only change its config to use the zimbra.lan IMAP server instead.

I have seen so much discussion on this forum on the forwarding issue, and I hope many people will find this kind of setup useful.


Thanks to all who helped me with this.

Zimbra Rocks!

-amit