Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Install Webmail on MTA server?

  1. #1
    jeffreyheinen's Avatar
    jeffreyheinen is offline Senior Member
    Join Date
    Jun 2007
    Location
    Oregon
    Posts
    51
    Rep Power
    8

    Default Install Webmail on MTA server?

    We are starting to move to a very simple, two server setup. The main server sits behind the firewall and is the LDAP and Mailbox server. The second system resides in the DMZ and is a MTA server.

    What is the best way to accomplish this? Would it be possible to install the webmail, or a proxy for webmail on the MTA server? Or do I have to re-install the mailbox service and try to fix the oddities in storage, communication and mailbox storage.

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Turn off the MTA service on your current zimbra box...and for the new server install the core/MTA/proxy service (using the same zcs version)...then point the old box to use the new MTA...and perdition proxy/open necessary ports to the mailstore behind the firewall...then run apache or something to proxy the webclient connections to the mailstore box (perdition is just imap & pop)

    or (and you didn't say) did you mean that you plan to use a new/faster box for the mailstores-do the above, then switch /opt/zimbra folders?
    Last edited by mmorse; 08-16-2007 at 02:57 PM. Reason: or

  3. #3
    jeffreyheinen's Avatar
    jeffreyheinen is offline Senior Member
    Join Date
    Jun 2007
    Location
    Oregon
    Posts
    51
    Rep Power
    8

    Default

    Sorry about being unclear. We currently have an old sendmail/dovecot based setup on hardware that will be decomissioned. I have built a pair of RHEL 5 servers which are going to replace the old system. I am about to migrate users over to the ZCS once I solve a few nagging issues.

    The new setup.
    System 1: Full ZCS, sitting behind the firewall.
    System 2. zimbra-base, zimbra-mta in the DMZ.

    I had asked the network guy to open all of those ports between the servers and the mail and webmail ports to the DMZ. Are you saying that the ports are not open and that zimbra-base should proxy the webmail by default?

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    no, the base does not act as a http(s) proxy-you'd have to modify tomcat
    system 1: ldap, mailstore, logger, aspell, smtp (if desired)
    system 2: mta, imap/pop proxy service(part of mailstore), antivirus, antispam, snmp (if desired)

    (you know you don't have to go with a full dmz-you could just open up the necessary ports for mail to come in-but then again I don't know the rest of your network setup/policies)
    Last edited by mmorse; 08-16-2007 at 02:54 PM. Reason: dmz

  5. #5
    jeffreyheinen's Avatar
    jeffreyheinen is offline Senior Member
    Join Date
    Jun 2007
    Location
    Oregon
    Posts
    51
    Rep Power
    8

    Default

    Is there a way to install the IMAP/POP proxy without all of the zimbra-store package? That is what I have been looking for and unable to find.

    If not, are there any other gotcha's I need to keep an eye out for?
    * Limit Class of Service to only create mailboxes on the mailbox server.
    * Manually transfer apache keys (which I was having problems with, thus the removal of the zimbra-store in the first place.)
    * Reconfirm correct network ports are open.

  6. #6
    jeffreyheinen's Avatar
    jeffreyheinen is offline Senior Member
    Join Date
    Jun 2007
    Location
    Oregon
    Posts
    51
    Rep Power
    8

    Default

    Update: I updated system 2 and it now has the services as show above. But I'm not getting the results I expected. Perdition is running, but it dosn't seem to allow anyone to authenticate to the mailbox server. I looked at Configuring Perdition - ZimbraWiki and confirmed the correct ports, and SMTP Auth Problems - ZimbraWiki and confirmed that the auth entries were right. The firewall allows everything between the two mail servers, so that is not the either issue.

    Suggestions on where else to look?

    This did not address my first question either. The upgrade did not install zimbra-apache, which, I'm guessing, is where the webmail or webmail proxy is run? Is this a configureation issue because I added items as an upgrade? Should I remove everything from system 2 and start again with the MTA/Proxy system?

  7. #7
    jeffreyheinen's Avatar
    jeffreyheinen is offline Senior Member
    Join Date
    Jun 2007
    Location
    Oregon
    Posts
    51
    Rep Power
    8

    Default

    Hrm.. I need a clairification here.. wouldn't mta be needed on system 1 as well? To route any local mail? I know you can point the webmail MTA, and the non-local mta via the admin interface, but is there something else needed to change as well if I were to turn the MTA service off?
    Last edited by mmorse; 08-14-2007 at 12:39 PM.

  8. #8
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Your goal was to offload the mta-you essentially just set admin console>servers>mta tab to point at your mta

    Are you fine with having people set a different outgoing and incoming address in any thick clients? If so you can ditch perdition for the time being.
    mx record=the mta.box.address

    Your user's only need to remember 2 addresses:
    think client set the mta box for outgoing: smtp.domain.com
    thick client incoming & web client access uses the mailstore box: mail.domain.com

    Then if you expand, so the user is directed to their appropriate mailstore: perdition & load balancing
    (and some very basic redirection for the webclient access is just zmlocalconfig -e zimbra_auth_always_send_refer=true)

    BTW the multi-server install guide is here: /products/documentation.html
    You seem to be jumping all over the place with upgrading, enabling, and disabling services...can you start all fresh?
    Last edited by mmorse; 08-14-2007 at 12:56 PM. Reason: woops not editing my post

  9. #9
    jeffreyheinen's Avatar
    jeffreyheinen is offline Senior Member
    Join Date
    Jun 2007
    Location
    Oregon
    Posts
    51
    Rep Power
    8

    Default

    To answer your questions totally backwards:

    I can start fresh. I've rolled my testers back to the old server for now.

    I have been using the multiple server install documentation. But the "Installing Zimbra MTA on a Server" section doesn't include information on on the IMAP/POP proxy. That was where my confusion came up.

    I have no problem with different names for incoming/outgoing (or even giving every service a different name.)

    Some of the implicit requirements that I working around:
    * Similar features or better. (Which isn't hard, given our current setup.)
    * Protect the mailstore behind our filewall.
    * allow webmail and IMAP to the accessable to remote users.
    * laptop users have to have no issues switching between internal network and external networks. (Meaning: zimbra.domain.com has to work internally and externally, and just point to the correct server.)

    That is why I don't think I can drop perdition, as the blackberry/treo users are going to want to beat on it, and the network guys will not let me open a port back into our server network.

    I am basing my setup off information my manager and a zimbra contact worked up. He was told that this was possible. I showed him ZCS System Architecture - ZimbraWiki so he could see what we are discussing. He still thinks his version is more secure. And I can't say I disagree with him too much.

    That all said, I am always open to suggestions and other "best practice" information. I'd rather do it correct now, then to have to redo everything at some point down the road.
    Last edited by jeffreyheinen; 08-14-2007 at 04:16 PM. Reason: A few changes after speaking to my manager.

  10. #10
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    So their fine sitting a server in the DMZ with no protection but not opening port 80 to something behind the firewall?
    (Because you are opening ports from behind the firewall to the box in the dmz anyway...)

    Which begs the question: Is your dmz public ip addresses and behind the firewall private addresses only?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 10:27 AM
  2. Daily mail report always reports "No messages found"
    By McPringle in forum Installation
    Replies: 42
    Last Post: 06-13-2011, 08:57 AM
  3. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  4. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  5. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 09:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •