Results 1 to 4 of 4

Thread: Implementation with a DMZ

  1. #1
    drj33 is offline Junior Member
    Join Date
    Dec 2007
    Location
    Portland, OR
    Posts
    7
    Rep Power
    7

    Question Implementation with a DMZ

    Hi everyone, I'm new!

    Please, set me in the right direction:

    I'm currently looking to bring in Zimbra to replace a simple sendmail/pop3 setup. Currently everything is in the DMZ, but the general concensus here is that if Zimbra would be hosting internal documents and other sensitive, non-email items, it would be best to keep as much as possible in the internal network. We could easily allow smtp or lmtp to traverse the firewall inwards (either between the Zimbra MTA and the LMTP server on port 7025, or between an edge MTA relaying to a port 25 Postfix instance on the inside), but that fundamentally/theoretically compromises the DMZ.

    The only (complicated) workaround I've thought up would be to let the edge MTA write to mbox/maildir on an nfs exported partition, mounting that partition from the inside and pulling the messages into a perl script to re-wrap them in smtp for delivery to the inside MTA. Or instead of doing this via mbox/maildir, writing a dummy smtp server that the edge mta could relay to that would accept mail and write the SMTP conversation to file on nfs, to be picked up on the other side and be simply replayed to the internal MTA. This is possible and wouldn't be too hard, but it doesn't seem like it's been done before, so it seems like it's the wrong path (and it's a serious kludge).

    Has anyone faced this issue before? What is the best way to set this up securely?

  2. #2
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Well, I start with the bias that the DMZ is ALSO privileged space, and I pretty severely curtail access to that network too. I only allow into the DMZ those ports that I need for Zimbra, and I block completely any attempt to access the LAN from the DMZ. The appropriate configuration for a DMZ is not to allow unfettered access there either, just to segregate that controlled space from the even-more-tightly-controlled space of your LAN.

    I would think that moving a publicly-available server into your LAN would be a bigger security risk than having some sensitive documents on a DMZ which is otherwise secured. By moving the server into the LAN you'll need to open that LAN to some external traffic--if only ports 25 and 443--and that has the POTENTIAL of compromising, not only the docs you propose to put on the mailserver, but all docs on your LAN. That does not sound to me like a move in the right direction. Remember that the whole idea is to protect yourself as much as possible if you get hacked, while in normal times regulating the inflow and outflow.

    I know this doesn't answer the "how" question, but I would seriously recommend you reconsider the "if I should."

    OH, and by the way, welcome to Zimbra and the forum!

  3. #3
    drj33 is offline Junior Member
    Join Date
    Dec 2007
    Location
    Portland, OR
    Posts
    7
    Rep Power
    7

    Default

    dwmtractor, Thanks so much for the shift in perspective, I was definitely leaning in the wrong direction.

    The reasons we need to have Zimbra in the inside is because we'll want to eventually tie it in with our Asterisk setup and also I will be asked to write some sort of zimlet to lookup customer info in our oracle db, which sure as heck won't be going anywhere near a dmz

    So, I think I'm probably going to take the obvious and simple route at this point, which is bringing the mail in via IMAP from the dmz.. Of course this would bypass Zimbra's mta setup, but I'm positive I can get things scanned with spamassassin/clam/etc. on the dmz side. Of course we would still rely on the internal Zimbra mta for internal mail. The valiases on each side would be synced up appropriately.

    Now that I think of it though, is mail imported from an external server run through the virus/spam checks?

  4. #4
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by drj33 View Post
    So, I think I'm probably going to take the obvious and simple route at this point, which is bringing the mail in via IMAP from the dmz.. Of course this would bypass Zimbra's mta setup, but I'm positive I can get things scanned with spamassassin/clam/etc. on the dmz side. Of course we would still rely on the internal Zimbra mta for internal mail. The valiases on each side would be synced up appropriately.

    Now that I think of it though, is mail imported from an external server run through the virus/spam checks?
    Why bring it via IMAP from the DMZ? If you really must have your Zimbra server internal, why not have an MTA--postfix or sendmail or whatever (even another Zimbra box?), that forwards email to the MTA of Zimbra on the inside?

    I can't say for sure how the spam filtering would work in this situation, but I think it would still go. I know that in my own shop I have an externally-hosted domain with a whole bunch of email addresses we don't want to retire (plus we want to keep the outside web hosting), so I have fetchmail on the Zimbra server retrieve all that mail and pass it out to the Zimbra users on a second domain. All this mail gets spam filtered just fine.

    I'm still trying to wrap my mind around your internal Zimbra server, though. Even if you were to write a zimlet that would query your Oracle database from a Zimbra server on the DMZ, couldn't you put that traffic on a custom IP port, and then write a firewall that limits traffic on that port to the Zimbra box's DMZ address only? I am not familiar with zimlet writing protocols or architecture--particularly whether the zimlet is executed server-side or client side (or if you have a choice). However I'm wondering if perhaps your zimlet (or other java applet) could execute a query client-side, which would point to your Oracle server from within the LAN even though the applet itself was served to the client from the Zimbra box.

    It would seem to me, depending on the architecture, that you still could get away with having the Zimbra box on the DMZ and accomplish your goals.

    Food for thought, anyway. . .

    Dan

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] SOAP access to the Zimbra server
    By sahuguet in forum Developers
    Replies: 29
    Last Post: 04-10-2008, 07:34 AM
  2. Looking for a good email Server
    By drdre in forum Administrators
    Replies: 9
    Last Post: 08-28-2007, 11:27 AM
  3. Imminent implementation: Final Questions?
    By russgalleywood in forum Administrators
    Replies: 0
    Last Post: 09-09-2006, 09:16 AM
  4. install zimbra on server in dmz
    By nemo12 in forum Installation
    Replies: 1
    Last Post: 04-10-2006, 03:16 AM
  5. Zimbra, DMZ or Internal install?
    By jnappi in forum Installation
    Replies: 1
    Last Post: 02-20-2006, 07:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •