Install Webmail on MTA server?

[jeffreyheinen]

We are starting to move to a very simple, two server setup. The main server sits behind the firewall and is the LDAP and Mailbox server. The second system resides in the DMZ and is a MTA server.

What is the best way to accomplish this? Would it be possible to install the webmail, or a proxy for webmail on the MTA server? Or do I have to re-install the mailbox service and try to fix the oddities in storage, communication and mailbox storage.

[mmorse]

Turn off the MTA service on your current zimbra box...and for the new server install the core/MTA/proxy service (using the same zcs version)...then point the old box to use the new MTA...and perdition proxy/open necessary ports to the mailstore behind the firewall...then run apache or something to proxy the webclient connections to the mailstore box (perdition is just imap & pop)

or (and you didn't say) did you mean that you plan to use a new/faster box for the mailstores-do the above, then switch /opt/zimbra folders?

[jeffreyheinen]

Sorry about being unclear. We currently have an old sendmail/dovecot based setup on hardware that will be decomissioned. I have built a pair of RHEL 5 servers which are going to replace the old system. I am about to migrate users over to the ZCS once I solve a few nagging issues.

The new setup.
System 1: Full ZCS, sitting behind the firewall.
System 2. zimbra-base, zimbra-mta in the DMZ.

I had asked the network guy to open all of those ports between the servers and the mail and webmail ports to the DMZ. Are you saying that the ports are not open and that zimbra-base should proxy the webmail by default?

[mmorse]

no, the base does not act as a http(s) proxy-you'd have to modify tomcat
system 1: ldap, mailstore, logger, aspell, smtp (if desired)
system 2: mta, imap/pop proxy service(part of mailstore), antivirus, antispam, snmp (if desired)

(you know you don't have to go with a full dmz-you could just open up the necessary ports for mail to come in-but then again I don't know the rest of your network setup/policies)

[jeffreyheinen]

Is there a way to install the IMAP/POP proxy without all of the zimbra-store package? That is what I have been looking for and unable to find.

If not, are there any other gotcha's I need to keep an eye out for?
* Limit Class of Service to only create mailboxes on the mailbox server.
* Manually transfer apache keys (which I was having problems with, thus the removal of the zimbra-store in the first place.)
* Reconfirm correct network ports are open.

[jeffreyheinen]

Update: I updated system 2 and it now has the services as show above. But I'm not getting the results I expected. Perdition is running, but it dosn't seem to allow anyone to authenticate to the mailbox server. I looked at Configuring Perdition - ZimbraWiki and confirmed the correct ports, and SMTP Auth Problems - ZimbraWiki and confirmed that the auth entries were right. The firewall allows everything between the two mail servers, so that is not the either issue.

Suggestions on where else to look?

This did not address my first question either. The upgrade did not install zimbra-apache, which, I'm guessing, is where the webmail or webmail proxy is run? Is this a configureation issue because I added items as an upgrade? Should I remove everything from system 2 and start again with the MTA/Proxy system?

[jeffreyheinen]

Hrm.. I need a clairification here.. wouldn't mta be needed on system 1 as well? To route any local mail? I know you can point the webmail MTA, and the non-local mta via the admin interface, but is there something else needed to change as well if I were to turn the MTA service off?

[mmorse]

Your goal was to offload the mta-you essentially just set admin console>servers>mta tab to point at your mta

Are you fine with having people set a different outgoing and incoming address in any thick clients? If so you can ditch perdition for the time being.
mx record=the mta.box.address

Your user's only need to remember 2 addresses:
think client set the mta box for outgoing: smtp.domain.com
thick client incoming & web client access uses the mailstore box: mail.domain.com

Then if you expand, so the user is directed to their appropriate mailstore: perdition & load balancing
(and some very basic redirection for the webclient access is just zmlocalconfig -e zimbra_auth_always_send_refer=true)

BTW the multi-server install guide is here: /products/documentation.html
You seem to be jumping all over the place with upgrading, enabling, and disabling services...can you start all fresh?

[jeffreyheinen]

To answer your questions totally backwards:

I can start fresh. I've rolled my testers back to the old server for now.

I have been using the multiple server install documentation. But the "Installing Zimbra MTA on a Server" section doesn't include information on on the IMAP/POP proxy. That was where my confusion came up.

I have no problem with different names for incoming/outgoing (or even giving every service a different name.)

Some of the implicit requirements that I working around:
* Similar features or better. (Which isn't hard, given our current setup.)
* Protect the mailstore behind our filewall.
* allow webmail and IMAP to the accessable to remote users.
* laptop users have to have no issues switching between internal network and external networks. (Meaning: zimbra.domain.com has to work internally and externally, and just point to the correct server.)

That is why I don't think I can drop perdition, as the blackberry/treo users are going to want to beat on it, and the network guys will not let me open a port back into our server network.

I am basing my setup off information my manager and a zimbra contact worked up. He was told that this was possible. I showed him ZCS System Architecture - ZimbraWiki so he could see what we are discussing. He still thinks his version is more secure. And I can't say I disagree with him too much.

That all said, I am always open to suggestions and other "best practice" information. I'd rather do it correct now, then to have to redo everything at some point down the road.

[mmorse]

So their fine sitting a server in the DMZ with no protection but not opening port 80 to something behind the firewall?
(Because you are opening ports from behind the firewall to the box in the dmz anyway...)

Which begs the question: Is your dmz public ip addresses and behind the firewall private addresses only?