Results 1 to 7 of 7

Thread: Multi-domain on single server: DNS, multi-CoS, proxy and best practice

  1. #1
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Question Multi-domain on single server: DNS, multi-CoS, proxy and best practice

    Multi-domain on single server: DNS, multi-CoS, proxy and best practice

    Hi everyone

    For the past 2 years we've been using Zimbra under a single domain but I'm now looking to expand it so that Zimbra handles domains for various associates. So people who already have a Zimbra account can have an additional alias for @newdomain.com. Or create new accounts for @newdomain.com users.
    At the moment our mail server is hosted over our ADSL connection but once I have built a new machine and got this procedure up and going

    From the admin interface it looks easy to add a new domain but my questions are relating to the broader aspects of running a Zimbra server which handles multiple domains. I'd like there to be as little extra configuration needed as possible when adding new domains so I want to make sure I get it correct in my mind before I start.

    So here are my questions...

    1) Bind/named. We have bind/named running as the DNS server on our Zimbra server. This means I have to keep the local Zimbra copy of our DNS records in sync with our external DNS server (cPanel/WHM).
    Is there any way I can have the DNS records synced from our external DNS server for those domains? Or is it not worth the hassle of setting up DNS replication?

    2) Bind/named records. So to add newdomain.com to the DNS on our Zimbra server, I need to add this to named.conf...
    Code:
    zone "newdomain.com" {
        type master;
        file "db.newdomain.com";
    };
    Then create db.newdomain.com in the same way I created it for our existing domain?

    3) A records. If I want users to be able to access the server using mail.newdomain.com then I'll need to set up an A record for mail.newdomain.com to point to the server's IP address. But because I only allow communication through TLS/SSL then surely when they try to access mail.newdomain.com they'll get certificate warnings because we have the commercial SSL cert under mail.domain.com
    Is there a way to have per-domain SSL certificates to avoid these warnings?
    Or would the server then need multiple IP addresses to support the multiple SSL certs?
    I'm thinking I might not set an A record so users are forced to use our existing server address. That way they won't get any SSL warnings (which seem harder and harder to override these days!).

    4) MX records. For newdomain.com should I just create an MX record to point to mail.domain.com?
    Or should I create an A record for mail.newdomain.com pointing to the server's IP address, and have the MX record for newdomain.com pointing to that A record?
    For mail delivery and spam filters, does it make any difference that the MX record for newdomain.com is actually pointing to a different domain's subdomain (eg: mail.domain.com as opposed to mail.newdomain.com)?

    5) SPF records. We have an SPF record for our current domain which explicitly lists the only servers that can relay mail for domain.com
    For newdomain.com I could either do an include: to domain.com so it picks up the existing SPF record for domain.com
    Or I could just copy & paste the SPF record for domain.com so I have to maintain 2 identical SPF records. Not loads of work but if there's a way to slipstream it then I'd like to try. All mail from domains on the Zimbra servers will originate from the same IP addresses (our web servers and a private mail relay VPS).
    Are there any downsides to including an SPF record from another domain?
    Does it even work like that?

    6) Mail relay. All our outgoing e-mail from Zimbra gets routed through an SSH tunnel to a private postfix VPS and delivered out to the internet from there. The hostname of this private relay is mailer.domain.com
    Is there any disadvantage in having mail from newdomain.com being sent out onto the internet by a server within a different domain, eg: increased "spamminess"?
    Or is it no problem so long as mailer.domain.com is listed in the SPF record for newdomain.com?

    7) DKIM/DomainKeys. The reason we have all outgoing e-mail routed through a single external relay is that it makes it easier for us to use DKIM/DomainKeys without having to mess around with modifying any configuration files associated with Zimbra. The down-side is that internal mail isn't signed.
    Is it best practice to have a different DKIM key for each domain?
    Or could I re-use the key that we have for domain.com since the mail for both domains originate from the same server?

    8) Zimbra proxy. Do I need the Zimbra proxy service for multi-domain support?
    Eg: being able to access their mail from https://mail.newdomain.com instead of https://mail.domain.com?
    Or is Zimbra proxy mainly for multi-server uses?

    9) Per-domain global address lists. Will the GAL list all accounts on the zimbra server? Or just ones from a matching domain?
    How do hosting providers avoid exposing all hosted accounts in the GAL, yet still retain GAL functionality?

    Hope that was all clear and I'm looking forward to getting some advice on all this!

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  2. #2
    ypong is offline Senior Member
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default

    I can help address some of these issues, since I just launched a multi-antispam gatewa, multi-proxy, multi-mailstore, multi-domain install using OSE version.

    1&2 I use MS AD internally and a DNS hoster (powerdns) externally, so there's no real way for me to keep things in sync. Considering I've launched 4 separate domains in 2 months, and another 5 on the way, there's actually not that much work involved in the DNS side, as externally you only need to worry about the antispam and the proxy servers, and not the mailstores.

    3. Yes, you need per domain certificates. Zimbra handles the IMAP side through nginx automatically, you just need to install the certs in the web interface (I use rapidssl, so had to append the crt, intermediate ca and final ca certs together in the web interface). You'll need to do something like "zmprov md newdomain.com zimbraVirtualIPAddress "10.10.10.7" and create the new interface on the server side, to ensure that nginx listens to the new IP and knows that when people connect on that interface, it is for the newdomain.com, and can present the right certificate.

    On the smtp side, you have to manually edit /opt/zimbra/postfix/conf/master.conf.in (see Multiple SSL Virtual Hosts 6.0 - Zimbra :: Wiki).

    4. You need to create new MX records for each new domain, obviously. I took the tack of creating new A records e.g. mail.newdomain.com. I'd guess you can also use mail.firstdomain.com for all the MXs, but it means you need to make sure your spam gateway and zimbra are setup to relay appropriately.

    5. yes, SPF records work like you said, e.g. I have an SPF that read like"v=spf1 a a:mx.firstdomain.com mx ~all" i.e. emails can originate from any A or MX record for newdomain.com, as well as the A record for mx.firstdomain.com

    You can use e.g. check-auth@verifier.port25.com to verify your spf record once it's setup in the DNS.

    6. I don't think so, I've certainly not encountered any complaints yet.

    7. can't help with DKIM, haven't implemented it myself yet

    8. yes, I used the proxy feature and nginx (see above)

    9. by default it only shows GAL for the domain. In my case I want all my domains to see each other (I'm not an ISP, but HQ for a large organization with a number of related companies) so I had to do something different.

    Hope all this helps!
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  3. #3
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    Thanks for your info!

    #1, #2
    I believe my guess at the DNS with bind/named is correct. It makes sense that setting up an additional domain on the same server that the DNS is setup in the same way.

    #5
    SPF, solved. Good stuff, that's a better way to do it rather than just duplicating the record for origdomain.com

    #7
    I now consider the DKIM question solved as well. I upgraded to opendkim from dkim-milter on our relay server and that's made it much easier to manage multiple domains and multiple keys.

    #9
    So Zimbra handles domain-specific GALs automatically? If you're logged in from newdomain.com it will only show accounts that use @newdomain.com
    What about if there are some users that just have @newdomain.com addresses, and others that have both @domain.com with aliases of @newdomain.com?
    Is that even possible?

    So if I wanted to keep things simple at this stage, could I just have @newdomain.com users login to webmail using https://mail.originaldomain.com and connecting to IMAP/SMTP mail.originaldomain.com?

    Or if I want additional domains do I have to create A records, SSL certs and virtual hosts for the additional domain?

    This is a small-scale installation at the moment, just for our organisation so I'm not concerned about users accessing the service using a domain that's not their own.

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  4. #4
    ypong is offline Senior Member
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default

    #9 The distinct IP address is just so the web server knows which SSL certificate to present. If you have an account "user" in the domain "newdomain.com", you can login to https://mail.originaldomain.com using "user@newdomain.com", or else login to https://mail.newdomain.com using "user" without qualifying the domain (hope that makes sense).

    If you are using a mail client, then, at least for thunderbird, I had to use separate SSL certs since thunderbird doesn't play nice with "accept invalid certs" (although there's a plugin to bypass this). But if your users are just using the webmail client, you should be ok without the additional virtual hosts etc.

    with regards to user1@domain.com having alias user2@newdomain.com and user3@newdomain2.com, that should work, as I have aliases for postmaster in all my domains, which point back to one admin account on the original domain.

    Yes, users in domain1.com will only see aliases and accounts (unless for the account you tick "Hide in GAL") in domain1.com

    But, I don't know what happens if you login with alias user2@newdomain.com... does it still only show GAL entries from user1@domain.com? Unfortunately I can't test for you, as I've already changed my GAL to use ROOT.

    If you get DKIM working with multiple domains, could you share your setup/installation/configuration steps? I haven't tried DKIM yet, seemed a bit awkward and I didn't know what would happen if I tried to add a second milter server (I'm already using mailarchiva), probably have to manually edit the postfix conf files again.
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  5. #5
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    Well at the moment our Zimbra server is hosted over our ADSL connection and we only have a single IP address for that. So the new-domain-specific virtual host and SSL cert stuff will have to wait for the time being.

    So since I'm not planning on having a separate virtual host for the new domain and just accessing using the existing domain, then I guess there's nothing that needs to be done to Z other than to add the new domain through the admin interface and add the users/aliases as necessary?
    Is that correct?

    We are considering moving this server to a data centre though as the balance of internal/remote users seems to be shifting. Don't even get me started on SSL certs, the extreme prejudice against self-signed certificates is ridiculous. I trust myself or anyone in our organisation much more than I trust a faceless CA!

    It will be interesting to see what happens with the GAL once I've implemented this. I'll post back with the results.

    With regards to DKIM, because our server is currently hosted over our ADSL connection, we route all our outgoing mail through a private relay VPS running postfix. The mail goes through an SSH tunnel to the VPS where it is signed and sent out by postfix. I use a package called opendkim to do this which (by the same developers as the older dkim-milter) is good at handling multiple domains and keys. I've not investigated DKIM on our Z server though as it looks like you have to modify Z's postfix config which I'm not too happy about doing. I wish DKIM support was integrated into the Z Admin UI.

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  6. #6
    ypong is offline Senior Member
    Join Date
    Jan 2009
    Posts
    66
    Rep Power
    6

    Default

    Quote Originally Posted by batfastad View Post
    So since I'm not planning on having a separate virtual host for the new domain and just accessing using the existing domain, then I guess there's nothing that needs to be done to Z other than to add the new domain through the admin interface and add the users/aliases as necessary?
    Is that correct?
    Yes, that should be it (that's how it was working for me for webmail, before I then went to the next step of requiring TLS for mail clients, which meant I had to create new IPs etc).

    Quote Originally Posted by batfastad View Post
    We are considering moving this server to a data centre though as the balance of internal/remote users seems to be shifting. Don't even get me started on SSL certs, the extreme prejudice against self-signed certificates is ridiculous. I trust myself or anyone in our organisation much more than I trust a faceless CA!
    You could distribute your own CA root cert to all users, but some devices just don't support this very well, so I gave up and went to buy some commercial certs instead. For ~$US100/year (I use a wildcard) I guess it's worth it for some peace of mind.
    Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition

  7. #7
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    Ok, got an additional domain up and running.
    Had to create a new zone file for the domain and edit named.conf. Then add the domain to zimbra.

    With regards to GAL...
    The GAL for newdomain.com only lists users with a primary address under newdomain.com
    So it doesn't list any users under olddomain.com that have aliases for newdomain.com. Which is perfectly fine and to be expected really.

    Also if I tell users to connect to IMAP and SMTP using mail.olddomain.com then they don't get certificate errors. They'd only have SSL problems if I created an A record under newdomain.com pointing to the IP of the server.

    One problem I did notice though was with the return-path header when using personas but this bug addresses this issue... Bug 51240 – wrong return-path set with external accounts / personalities

    Hope all this helps someone out. It was much easier than I thought, when not needing to bother with proxy/virtualhosts.

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •