Zimbra

grunty · #1 (**permalink**) 03-21-2007, 10:31 AM

I'm planning a new Zimbra installation and thought I'd run my proposed network layout past everyone here...

We will be getting a T1 installed soon. So I plan to put the mail server on the end of this - outside of our LAN's firewall.
i.e.

Does this make sense do you think? Or should I be putting the Zimbra server inside the firewall?

AimanA · #2 (**permalink**) 03-21-2007, 10:55 AM

My server sits on the public internet. I have an IPTables firewall protecting all ports that are not essential for service. The Linux firewall is quite robust if configured properly, and I don't see a real need to protect the system with a firewall appliance. Most firewalls are just running a slimmed down & hardened version of Linux anyways.

OOPS. Just looked at your diagram closely... I REALLY wouldn't put the thing behind a NAT'ing firewall because that will cause more headaches than it could possibly solve.

kirme3 · #3 (**permalink**) 03-21-2007, 10:55 AM

Are you planning to at least have a firewall running on the server? I personally would not put a server outside of any firewall. But that's just me.

grunty · #4 (**permalink**) 03-21-2007, 11:50 AM

Yes, the reason I've put it outside the firewall is to avoid NATing.

This caused me loads of problems on a test server I setup. In fact, I couldn't get it to work and gave up.

I can setup a firewall on the Zimbra server as AimanA suggests. I haven't setup IP Tables before though. I think I'd use firestarter to set that up.

Does this setup make sense?
What do most people do?

AimanA · #5 (**permalink**) 03-21-2007, 11:55 AM

What flavor of Linux are you setting this up on? Most distros come with a firewall configuration utility that is pretty robust. I know that SuSE and RedHat both have excellent ones.

Basically you want to specify as the firewall as "on" and specify port exceptions for your MTA(25), Web front end(80), or HTTPS (443), ZCSAdmin (7071), and POP or IMAP ports. Personally, I have my SSH and ZCSAdmin ports open only to specific IP's, but thats a fairly advanced config.

If you tell me what distro you are using I can probably point you at the config utility.

grunty · #6 (**permalink**) 03-23-2007, 07:08 AM

I haven't decided 100% on the distro yet.

I was originally going to use CentOS, but I was thinking that if I ever upgraded to one of the paid-for version I might struggle to get official support.

Because of this, I was thinking of using Red Hat or Suse (which are supported).
I was also considering Ubuntu because I have used this before, however it still isn't officially supported - although this is in the pipeline I think.

phoenix · #7 (**permalink**) 03-23-2007, 07:18 AM

Ubuntu LTS is currently in beta (not supported but we want feedback

) and will probably go GA soon(ish), if you want to use CentOS then you could always move to RHEL later if you upgrade to NE.

AimanA · #8 (**permalink**) 03-23-2007, 07:20 AM

SLES 10 is a great platform, as is RedHat. SUSE & RedHat have a less expensive support option where you can buy the basic server with 1 year of upgrades (patches, etc) for $349. Obviously this does not include phone support, but RH has 2 day response email support, and SuSE has online/forum support which is very good.

Personally, I have Administered both SuSE SLES10 and RedHat RHEL4 in enterprise production environments, and I must say that I MUCH prefer SLES over RedHat. (many have asked why I prefer SuSE to RH, and it is because of the quality of their technical support. I've spoken to a couple of RH "engineers" that were pretty much booger eating morons with a "paper" RHCE that knew squat about linux in the real world. Also, SLES has an awesome configuration tool, YaST).

SLES10:
http://www.novell.com/products/server/howtobuy.html

RHEL4:
https://www.redhat.com/apps/store/server/rhel.html