Install Webmail on MTA server?

[mmorse]

"I am basing my setup off information my manager and a zimbra contact worked up"

So are you going to be a network edition user? If so there's professional services available from zimbra to get you setup-I almost need a network diagram to help you further...

We are Network Edition currently. We currently have issues with our license which I hope will be resolved soon. (My Manager is tracking that. The Zimbra support information I have on that issue is "Case 00014674: Chockstone - License running out? ")

I am not used to extra support, which is why I've been using the forums and wiki. If you really want a network diagram, I can see what I can arrange. Where should it be sent and in what format?

BTW I don't work for zimbra/I can't see your salesforce tickets.
(The moderators are not zimbra employees-makes for better impartiality that way.)

If you want-you could attach a basic diagram/pic to this thread.
(Be sure to edit out most of the IP addresses as you see fit.)

[jeffreyheinen]

You know, I wondered about the difference in "Moderator" and "Zimbra Employee" titles. I had thought it just a glitch/feature of the boards.

I like your explanation better.

I'll go ask for a "public consumption" network diagram, and see what response I get. In the mean time, let me qualify some of the words I use and how they fit in the network (as I understand it). I should have done this at the beginning, and I'm sorry for the confusion I've caused.

Our firewall is very restrictive. Everything on the internal side of it is a private IP, even what we refer to as "DMZ" networks. If we need a publicly accessable IP, we install explicit allow rules to pass that IP and port combination.

So, when I say DMZ, It is still a protected network, but external IP's are allowed to be routed there. It has private addresses, with ports in the firewall open only for specific IP/Port pairs.

The "Server Network" is on a different block of private IP's, and ports need to be opened in the firewall between it and the DMZ network. The firewall will not allow direct access to the Server Network.

A simplified layout.

Internet
+ Firewall
++ Mail DMZ
+++ Zimbra MTA
+ Main Router/Switches
++ Server Network
+++ Zimbra LDAP/Mailstore


Sorry I can't be more clear, I don't understand totally how it works or accomplishes this. I just know what I'm trying to work around.

So what do you think? Am I on the right path or should I scrap it all?

[jeffreyheinen]

Ok, I "uninstalled" by shutting down the servers, running "install.sh -u" on the installer. And removing the /opt/zimbra directories. I did not remove users and groups, the log files, or the /tmp files just in case I needed to find some data. (Possible Mistake #1? : Does it read from /tmp on reinstall?)

I then followed the Multiple-server installation documentation. Installing ldap and mailbox server on one, and MTA on the other. On the MTA, I also added zimbra-store and enabled POP/IMAP proxy. One question is, does POP/IMAP proxy need to be on /every/ server, so that it sets the ports correctly, or just on the ones that do not have a mailbox running?

I then preformed basic setup (account provisioning, CoS creation etc.) As well as setting up Split Domain as a secondary system. All of that works successfully.

Note: libexec/zmfixperm needed to be edited because perdition has a .1 patch number now. The rrdtool directory needed to be emptied and removed, and recreated as a symbolic link to the rrdtool-RELEASENUMBER directory.

The install automatically started the mailbox service on the MTA. This causes some problems for account provisioning if you don't fix it in the CoS, and it is not on the list of needed services posted earlier in the thread. So I disabled it in the admin screen. (Possible Mistake #2?)

That is where I stand, tomcat fails to start because of (what I find out to be later) mysql.sock connection problems. It is my theory that it is why I can not authenticate to perdition and why the webmail is not answering. However, what I do not know is if mysql is needed, given that it is not storing mail, just forwarding/proxying.

I think I have a better idea of what is going on now at least. I will see about creating a support ticket, or asking my manager to.

Thanks for all your help, even tho it was derailed me and my confusion.

[mmorse]

Sound's like your having some fun, how have you decided implement the web client proxy? (perdition is just imap & pop)
Back to the original/main question-going to modify tomcat to proxy the web connections? apache/other software?

If you hit the wrong mailstore and 'always send referrer' is set, after login zimbra will redirect you to the appropriate mailstore-but that's not the same as a proxy (as you don't want any communication from the outside world directly to your server net)

Not to be a downer but my ramble:
A http/s proxy on that outside mta to me just means now your just wasting resources/time with one more step on traffic that's going to get to your mailstore anyway-just a little bit delayed...
And if your thinking: 'well if someone crashes our mta we can still access mail' True, but there's no mta to deliver even local mail so your ground to a halt anyway.

Now if you had both mta & mailstore in your cornered off server net and another device/server to proxy everything I could see the point; if that outside box goes down you still have mail access & local delivery.
-I'm a fan of F5's BIG-IP (you can throw traffic at one address and it will sort, filter, local cluster etc) ya there's tons of products that do this.
But your goal of splitting the load, then putting load back on that mta as a proxy service boggles my mind.

So 'better' options as I see it now that I understand your end goal/network setup:

A) 2 box setup:
If you don't mind separate addresses for incoming/outgoing in imap/pop connections- Both in a location that you can route a public address too. At most you open MTA:25, Mailstore/LDAP:80/443(web) 143/993(imap) 110/995(pop if desired), (389 ldap if you choose to allow thick clients GAL access)
And if you expand to more mailservers-add perdition into the setup.

B) 3 box/device setup:
Both MTA&Mailstore in your protected net - a proxy box/device in front

(Remember your goal was to separate mta & mailstore into a multi-server deployment for load. BTW you never gave # of users/mail traffic stats?)

[jeffreyheinen]

Sound's like your having some fun, how have you decided implement the web client proxy? (perdition is just imap & pop)
Going to modify tomcat to proxy the web connections? apache/other software?

That was the original point of this topic. How am I supposed to do that?

Not to be a downer but my ramble:

I don't find it a downer in the least. I'm just trying to implement it in the way it was requested of me. I've sent this along to my manager, and we will see if that changes the specs any.

(Remember your goal was to separate mta & mailstore into a multi-server deployment for load. BTW you never gave # of users/mail traffic stats?)

True, and also with the intent of being able to manage growth better. I think we also had a flawed understanding of what zimbra can and can not do and how it likes to communicate. (Every server, but LDAP wants to be a peer.) Hopefully we can make adjustments that will make life better in the future.

This might be a start of another topic, but for reference we have about 50-60 users (and growing at about 5 a quarter.). A handful of those are very heavy users at several thousands emails a day, but most users are fairly average. I have two servers running RHEL 5, one of which has a RAID 10 (which I use as the mailbox store). Security is a large concern here, and sometimes it over-rides usability and manageability concerns.

So, if we forget the specifics of our (self-inflicted) network complexities.. what would you do if you were given those numbers? What do you think would be the best setup? Both for now, and potential growth in the future? Still the "Medium" option in the Multiple Server Configuration examples?

I can always recommend changes by experts, and maybe someone else is in a similar situation that can be helped out.

[mmorse]

That is unique-60 users would typically definatly be a single server setup but "A handful of those are very heavy users at several thousands emails a day," so I can see why you planned to offload the mta.

I think this will be some good reading for you (especially as you we're kinda asking about the use of LDAP & LMTP): /pdf/Zimbra Architectural Overview.pdf

[jeffreyheinen]

Yep, it is always the edge cases that cause problems for the rest of us.

I'm not surprised that we are starting off with a little overkill. But is it, at least, in the right direction?

[mmorse]

so maybe mod_proxy/mod_jk on that outside mta box for web-client access...