Results 1 to 5 of 5

Thread: Zimbra on the Web

  1. #1
    russgalleywood is offline Elite Member
    Join Date
    Aug 2006
    Location
    Essex, UK
    Posts
    250
    Rep Power
    8

    Default Zimbra on the Web

    Hi Guys,

    we have been using Zimbra for over a year now and are very happy with it.

    So far, we have only ever used it on our internal (local) network.

    Users have asked if they could view their Zimbra account from home, including the Calendar but I have been reluctant to reveal it to the Internet like that. I have just been using Roundcube on our webserver pointing at our Zimbra server, just for mail.
    We have now inherited a Sonicwall pro 4060, which is a really nice firewall I believe and this combined with us signing up to MessageLabs for Email filtering makes me wonder if now might be the time to allow more access to Zimbra from outside.

    So, basically, how do people do this? Are there any tips or or a guide on securing Zimbra and it's Services before opening it up? (I couldn't find anything in the Wiki)

    I guess will probably put the Zimbra server in a DMZ along with a few other servers and allow direct access to it through a port number.
    We are authenticating with Active directory though, would I be better just using the local Zimbra authentication or perhaps an LDAP server?

    Thanks
    Russ

  2. #2
    randall is offline Advanced Member
    Join Date
    Jun 2007
    Location
    Philippines
    Posts
    193
    Rep Power
    8

    Default

    from my own perspective, this would really depend on your organizations priority. If security is your top most concern, yes, it would be logical to place your server in the DMZ and have it's own authentication.

    most of the time, i recommend putting the e-mail server on a separate public IP with it's own firewall. on a normal occasion, e-mail servers are really expose so users can handle their communication where ever they are. but we will really never know if each users accessing your e-mail server is observing security measures when they do that outside of your organization's premises. in case of breach, this will be isolated in your e-mail server alone and will not include the entirety of your network if you have other pertinent installation/information inside.

    You may also consider a bridge-head config (but quite complex and time consuming to implement).

    hope this helps.

  3. #3
    russgalleywood is offline Elite Member
    Join Date
    Aug 2006
    Location
    Essex, UK
    Posts
    250
    Rep Power
    8

    Default

    Thanks,

    I will give it some thought. I guess I could use my old Draytek router/firewall in front of the Zimbra server but behind the Sonicwall as you suggest.

    Cheers

  4. #4
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    I use Zimbra in a DMZ behind my main firewall, and have the firewall DNAT/SNAT the traffic from outside--only https and SMTP, to the DMZ address. All other ports can only be accessed from the DMZ or LAN.

    If you move an existing server into a DMZ though, you will have to configure split DNS so that the zimbra box and the LAN users resolve it's FQDN as the DMZ IP, while the rest of the world resolves it as the public IP. Otherwise you will get and send no email.

  5. #5
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    We have our Zimbra servers behind a SonicWall PRO as well.

    We have them in a DMZ. On our own system, we have the SonicWall configured to use traditional NAT mode, which means you will need to configure "split DNS" to get Zimbra to work. There is a wiki article to which I contributed that will help.

    You can also configure one of the ports on the SonicWall in "Transparent Mode" and put a few public IPs in there. In this way, the Zimbra server will have public IP address but will still be well protected.

    The only ports you will need to open are the public ports listed in the Admin Guide. Insist your users use complex passwords, and don't open the admin port publicly and you should be relatively secure.

    But, you can also insist your users use the SonicWall VPN client or an IPSec connection to the SonicWall from away, which will make things more secure, but a little less convenient.

    I would also strongly recommend licensing the Gateway Security bundle from SonicWall, which does Anti-Virus, Anti-Spam, Anti-Phishing, and IPS on the SonicWall, and which will significantly reduce the load on your Zimbra server.

    We also use the SonicWall's built-in RBL filtering to lighten the load on our Zimbra servers even more.

    When you look at our Zimbra anti-spam stats, we show only about 10% or so of all messages as spam/viruses. Without the pre-filtering at the SonicWall, the load on our server would be eight times higher!

    That makes the SonicWall security bundle a terrific value IMHO (and no, we are not a reseller...)

    Hope that helps.

    Mark

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  3. Removing hostname from hosts file fixed prob.
    By lemur in forum Installation
    Replies: 10
    Last Post: 06-13-2007, 06:29 PM
  4. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 12:58 AM
  5. FC3 Install and no zimbra ?
    By aws in forum Installation
    Replies: 10
    Last Post: 10-09-2005, 04:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •