[SOLVED] security security security

[Bart Hostens]

Is driving me nuts.

I am testing open source ZIMBRA, and I really like it ..I am a total beginner but I begin to know the way it works

Now I want to give sales people access to the webmail in the most secure way.

So the first plan was to install 2 servers , 1 internal and 1 in DMZ.
Only the users created on DMZ can access webmail from outside, the others not...
But then I have a problem with synchronisation.

I got a hint by installing only 1 in internal network and install a kind of gateway server in DMZ. but I still have to figer this out..

What is now the most secure way to give access to webmail from outside the company.

Help...

[phoenix]

Why not use https and just install one server on a LAN IP behind your NAT router then forward only the necessary ports to that?

[Bart Hostens]

is this the most secure way then?

when we use https then it is port 443 that i have to forward.

so no server in dmz then?

[phoenix]

Well, you'd need port 25 & 443 plus any submission ports that remote users use (for fat clients) such a port 587. If you want to use a DMZ then look at the Multi-Server Installation Guide in the docs link at the top of this page and see if that suits your needs better. You would be advised to use some form of auditing on your Zimbra server to make sure all is OK (including and RootKit hunters etc.) and nothing is there that shouldn't be.

BTW, what is your company policy or preference for this type of server set-up?

[Bart Hostens]

Can I use multi user and ldap replication for example?

But ldap replication is for alle users on both servers i suppose..

You see , i am a bit drowning in all the possibilities...

The company policy was to install 2 servers , one internally and one in DMZ.

But I am really afraid for the synchronization between these 2 servers...and the work i will have to control the system

[dave_kempe]

maybe just install an nginx reverse proxy in the dmz. caters for webmail and imap users.

[Bart Hostens]

i will dive in to the documentation to find out

thx!

[bradrose90]

Just create one server and stick it in your DMZ. Open a port on your firewall and direct SMTP traffic to it.
Open a port web/smtp or both into the DMZ from your trusted.
Now you can, on an individual basis allow people to send/receive email...

Good luck.
Brad

Quote:

Originally Posted by Bart Hostens

Is driving me nuts.

I am testing open source ZIMBRA, and I really like it ..I am a total beginner but I begin to know the way it works

Now I want to give sales people access to the webmail in the most secure way.

So the first plan was to install 2 servers , 1 internal and 1 in DMZ.
Only the users created on DMZ can access webmail from outside, the others not...
But then I have a problem with synchronisation.

I got a hint by installing only 1 in internal network and install a kind of gateway server in DMZ. but I still have to figer this out..

What is now the most secure way to give access to webmail from outside the company.

Help...

[Bart Hostens]

Thanks for the replies!!

I found a real expert in linux and he helpt me through this.

We installed apache2 php & mysql

changed apache2.conf like :
add following lines :

ServerName zimbra.example.be
ServerAdmin root@zimbra.example.be
RewriteEngine On
ProxyPassReverse / http://192.168.9.99/
ProxyPass / http://192.168.9.99/

<Location />
order allow,deny
allow from all
AuthName "only for registered users"
AuthType Basic
AuthUserFile "/etc/httpd/passwd.httpd"
<Limit GET>
require valid-user
</Limit>
</Location>

we made a passwd.http file with username and password in
htpasswd -c /etc/httpd/passwd.httpd username

restarted apache 2 servers

and it worked!! Now a little fine tuning and it is up and running.

thanks to the expert, he really teached me well!