Results 1 to 7 of 7

Thread: Security Issues

  1. #1
    zadmincbc is offline Junior Member
    Join Date
    Sep 2007
    Posts
    5
    Rep Power
    7

    Unhappy Security Issues

    Hi All,
    I have got a problem on securing my zimbra server in my network:
    1) the original idea was to put the zimbra-store and ldap in the lan and the mta in the dmz. But doing this i will not have my web interface accessible from outside users.
    How can I solve this problem?
    2) is it possible to distibute emails only locally, without going outside?

  2. #2
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    Quote Originally Posted by zadmincbc View Post
    I have got a problem on securing my zimbra server in my network:
    1) the original idea was to put the zimbra-store and ldap in the lan and the mta in the dmz. But doing this i will not have my web interface accessible from outside users.
    How can I solve this problem?
    Put a reverse proxy in the DMZ.

    Quote Originally Posted by zadmincbc View Post
    2) is it possible to distibute emails only locally, without going outside?
    Yes.
    Restrict sending to certain domains - Zimbra :: Wiki

  3. #3
    zadmincbc is offline Junior Member
    Join Date
    Sep 2007
    Posts
    5
    Rep Power
    7

    Smile Security Issues

    Dear Klug,
    could you be just a little bit more clear about what to do and how to do it? I mean which type of reverse proxy and how do i configure it? I am new to zimbra, trying to convince my enterprise to avoid exchange, and I would really appreciate any help.
    Thanks

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    1) http://www.zimbra.com/forums/search.php?searchid=903099

    You don't have to go full dmz in the first place though: Ports - Zimbra :: Wiki & Firewall Configuration - Zimbra :: Wiki

    2)
    Quote Originally Posted by mmorse View Post
    So what you would do is combine:
    Restrict sending to certain domains - Zimbra :: Wiki & RestrictPostfixRecipients - Zimbra :: Wiki

    You can also vote on: Bug 5595 - per-domain send restriction
    Make check boxes for:
    -User can send email outside of their domain
    -User can receive mail from outside their domain.
    (and of course extrapolate that eventually w/ a blank to enter other domains allowed for send/recieve)
    Last edited by mmorse; 11-22-2007 at 07:18 PM.

  5. #5
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    A reverse proxy is not the only way to accomplish this. It depends on your firewall of course, but I use Destination Network Address Translation (DNAT) on mine. The firewall routes traffic between LAN, DMZ, and public IP address, and I have it set so that any port 443 (https) or 25 (SMTP) traffic which comes to the publicly-published IP address (the one in my mx records) for the mail server, gets translated to the internal DMZ address.

    The actual name of this process may vary depending on your firewall, but I believe most firewalls that will allow for a DMZ at all have some sort of DNAT/SNAT option which will provide the necessary routing.

    Dan

  6. #6
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    I did not suggest DNAT because he has a DMZ and a LAN, with the Zimbra server on the LAN (not DMZ)...

    I don't see the point of authorizing direct access from the outside to the LAN when a DMZ is available.

    Additionnal point : if you don't know what a reverse-proxy is or how to setup your firewall in order to do what was suggested before, I think you'd better get your setup checked by someone who knows.
    Bad firewall (or reverse-proxy) setup can lead to serious issues.

  7. #7
    zadmincbc is offline Junior Member
    Join Date
    Sep 2007
    Posts
    5
    Rep Power
    7

    Default Security Issues

    Hi All,
    thank you for all your help. Actually I have a Cisco ASA 5510 managing connection between lan-dmz-internet. When I configured a webserver I put the database of the web app on the lan, the webserver on the dmz with a translation of the dmz address in the public one. I would like to do something similar with zimbra but as I can see zimbra web-app cannot be separeted from the zimbra-store. Does anybody know if doing this is possible and how to reach this target?
    Thank you.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Exchange 2003 Migration Issues
    By JordanPWilliams in forum Migration
    Replies: 10
    Last Post: 07-27-2007, 10:51 AM
  2. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 05:08 AM
  3. High Performance, Security, Redundancy
    By gjhorne in forum Installation
    Replies: 1
    Last Post: 03-30-2007, 11:29 PM
  4. Zimbra Security Issues
    By generic31 in forum Administrators
    Replies: 2
    Last Post: 12-03-2006, 11:10 PM
  5. Zimbra 3.2 issues
    By kowell in forum Developers
    Replies: 1
    Last Post: 07-05-2006, 06:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •