Prevent account creation on specific mailstore?

[bowergo]

We have 3 zimbra servers running with this intended use.

mailstore1 (1750 users/4TB storage)
mailstore2 (1750 users/4TB storage)
proxy perdition for imap/pop and tomcat for webUI ( intend 0 users)

We like giving a single URL for webUI use but I have the unexpected result of a full mail store that could have an account created on it by error. Is there a way to prevent account creation? (COS offers some control but it can be overridden manually)

I installed the mailstore because I think I need it to get tomcat.

[mmorse]

Ok so using that third box with perdition for the imap/pop users and your MTA?

On that third box instead of installing the mailstore for the web interface-why not just add a virtual host/the url you want people to connect too. Domains>Virtual Hosts tab. The virtual host requires a valid DNS configuration with an A record.

You can deploy a load balancer so that all users can log in using the same address/name instead of having to remember which server their mailbox is on.

You set up a virtual hostname of mail.example.com and configure the mail servers, mail1.example.com to mailx.example.com.

When users log on to mail.example.com, the load balancer directs the user to any one of the mail servers to verify the log on information. After successfully logging on, users are redirected to the actual server their mail is stored on. While they are logged on, all subsequent requests go directly to their server.

In order to configure load balancing for ZCS,

1. Each Zimbra servers must have a routeable address/name.
2. You must configure the virtual hostname on the administration console.
3. You must turn on the following localconfig setting on each mail server,

zmlocalconfig -e zimbra_auth_always_send_refer=true

Quote:

We like giving a single URL for webUI use

The real question is-for the web interface, are you trying to hide the url of the machine they connect to? That would be a whole other topic/method.

[bowergo]

I am not sure how our certificates would react to this layout. The current config allows us to use our self signed certificates (We install our root CA) without any error messages for the users to ignore or ask questions about. We have a different cert for each host, mail-01, mail-02 & zmail.

Currently we tell users to connect to zmail.example.com once they log in the get redirected to mail-01 or mail-02... But only the auth portion is encrypted...

No hiding the URL is not important. It will actually help a bit when users start setting up zimbra remote on phones.

[mmorse]

Quote:

But only the auth portion is encrypted...

So you have it setup so that after login they leave the https connection anyway right?
So they connect to the virtual host (on any mailstore), login, get redirected to their mailstore...So the question is does the https connection switch to http before the redirect or after....personally I couldn't tell ya, I don't make use of that method.
If your using https for the entire session-that's where wildcard certs come in handy

[bowergo]

Quote:

Originally Posted by mmorse

If your using https for the entire session-that's where wildcard certs come in handy

But the phones do not play nice with wildcard certs.

When will my karma be in balance?

[mmorse]

Is it WM5?

As Windows Mobile 5 does not support SSL certificates containing "wildcards" in URL address (for example *.company.com). This applies for AlternativeNames as well as for URL address of the server-to disable ceritificate checking in Windows Mobile 5 device:
-edit the following registry in Hkey_Current_User\Software\Microsoft\ActiveSync\Partner s\UID_Server_partnership.
-Add a new Value secure of DWORD type and set it to 0.
(UID_Server_partnership is unique ID number specifing the partnership with the specific server.)

[mmorse]

before you ask (for a registry editor if you don't have one built-in):
Mobile Registry Editor
wm5 registry editor - Google Search
The Ultimate Roundup of Registry Editors for the Pocket PC
TascalSoft - Top Page