Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Installation
Reload this Page Zimbra on the Web

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10-17-2007, 03:04 AM
Elite Member
  
Posts: 250
Default Zimbra on the Web
Hi Guys,

we have been using Zimbra for over a year now and are very happy with it.

So far, we have only ever used it on our internal (local) network.

Users have asked if they could view their Zimbra account from home, including the Calendar but I have been reluctant to reveal it to the Internet like that. I have just been using Roundcube on our webserver pointing at our Zimbra server, just for mail.
We have now inherited a Sonicwall pro 4060, which is a really nice firewall I believe and this combined with us signing up to MessageLabs for Email filtering makes me wonder if now might be the time to allow more access to Zimbra from outside.

So, basically, how do people do this? Are there any tips or or a guide on securing Zimbra and it's Services before opening it up? (I couldn't find anything in the Wiki)

I guess will probably put the Zimbra server in a DMZ along with a few other servers and allow direct access to it through a port number.
We are authenticating with Active directory though, would I be better just using the local Zimbra authentication or perhaps an LDAP server?

Thanks
Russ
Reply With Quote
  #2 (permalink)  
Old 10-17-2007, 07:43 AM
Advanced Member
  
Posts: 193
Default
from my own perspective, this would really depend on your organizations priority. If security is your top most concern, yes, it would be logical to place your server in the DMZ and have it's own authentication.

most of the time, i recommend putting the e-mail server on a separate public IP with it's own firewall. on a normal occasion, e-mail servers are really expose so users can handle their communication where ever they are. but we will really never know if each users accessing your e-mail server is observing security measures when they do that outside of your organization's premises. in case of breach, this will be isolated in your e-mail server alone and will not include the entirety of your network if you have other pertinent installation/information inside.

You may also consider a bridge-head config (but quite complex and time consuming to implement).

hope this helps.
Reply With Quote
  #3 (permalink)  
Old 10-17-2007, 08:07 AM
Elite Member
  
Posts: 250
Default
Thanks,

I will give it some thought. I guess I could use my old Draytek router/firewall in front of the Zimbra server but behind the Sonicwall as you suggest.

Cheers
Reply With Quote
  #4 (permalink)  
Old 10-17-2007, 06:08 PM
Moderator
  
Posts: 1,027
Default
I use Zimbra in a DMZ behind my main firewall, and have the firewall DNAT/SNAT the traffic from outside--only https and SMTP, to the DMZ address. All other ports can only be accessed from the DMZ or LAN.

If you move an existing server into a DMZ though, you will have to configure split DNS so that the zimbra box and the LAN users resolve it's FQDN as the DMZ IP, while the rest of the world resolves it as the public IP. Otherwise you will get and send no email.
Reply With Quote
  #5 (permalink)  
Old 10-18-2007, 07:40 PM
Moderator
  
Posts: 1,209
Default
We have our Zimbra servers behind a SonicWall PRO as well.

We have them in a DMZ. On our own system, we have the SonicWall configured to use traditional NAT mode, which means you will need to configure "split DNS" to get Zimbra to work. There is a wiki article to which I contributed that will help.

You can also configure one of the ports on the SonicWall in "Transparent Mode" and put a few public IPs in there. In this way, the Zimbra server will have public IP address but will still be well protected.

The only ports you will need to open are the public ports listed in the Admin Guide. Insist your users use complex passwords, and don't open the admin port publicly and you should be relatively secure.

But, you can also insist your users use the SonicWall VPN client or an IPSec connection to the SonicWall from away, which will make things more secure, but a little less convenient.

I would also strongly recommend licensing the Gateway Security bundle from SonicWall, which does Anti-Virus, Anti-Spam, Anti-Phishing, and IPS on the SonicWall, and which will significantly reduce the load on your Zimbra server.

We also use the SonicWall's built-in RBL filtering to lighten the load on our Zimbra servers even more.

When you look at our Zimbra anti-spam stats, we show only about 10% or so of all messages as spam/viruses. Without the pre-filtering at the SonicWall, the load on our server would be eight times higher!

That makes the SonicWall security bundle a terrific value IMHO (and no, we are not a reseller...)

Hope that helps.

Mark
__________________
___________________________________
L. Mark Stone, CIO


"Uptime. All the time."

477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678

proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.