Security Issues

[zadmincbc]

Hi All,
I have got a problem on securing my zimbra server in my network:
1) the original idea was to put the zimbra-store and ldap in the lan and the mta in the dmz. But doing this i will not have my web interface accessible from outside users.
How can I solve this problem?
2) is it possible to distibute emails only locally, without going outside?

[Klug]

Quote:

Originally Posted by zadmincbc

I have got a problem on securing my zimbra server in my network:
1) the original idea was to put the zimbra-store and ldap in the lan and the mta in the dmz. But doing this i will not have my web interface accessible from outside users.
How can I solve this problem?

Put a reverse proxy in the DMZ.

Quote:

Originally Posted by zadmincbc

2) is it possible to distibute emails only locally, without going outside?

Yes.
Restrict sending to certain domains - Zimbra :: Wiki

[zadmincbc]

Dear Klug,
could you be just a little bit more clear about what to do and how to do it? I mean which type of reverse proxy and how do i configure it? I am new to zimbra, trying to convince my enterprise to avoid exchange, and I would really appreciate any help.
Thanks

[mmorse]

1) http://www.zimbra.com/forums/search.php?searchid=903099

You don't have to go full dmz in the first place though: Ports - Zimbra :: Wiki & Firewall Configuration - Zimbra :: Wiki

2)

Quote:

Originally Posted by mmorse

So what you would do is combine:
Restrict sending to certain domains - Zimbra :: Wiki & RestrictPostfixRecipients - Zimbra :: Wiki

You can also vote on: Bug 5595 - per-domain send restriction

Quote:

[dwmtractor]

A reverse proxy is not the only way to accomplish this. It depends on your firewall of course, but I use Destination Network Address Translation (DNAT) on mine. The firewall routes traffic between LAN, DMZ, and public IP address, and I have it set so that any port 443 (https) or 25 (SMTP) traffic which comes to the publicly-published IP address (the one in my mx records) for the mail server, gets translated to the internal DMZ address.

The actual name of this process may vary depending on your firewall, but I believe most firewalls that will allow for a DMZ at all have some sort of DNAT/SNAT option which will provide the necessary routing.

Dan

[Klug]

I did not suggest DNAT because he has a DMZ and a LAN, with the Zimbra server on the LAN (not DMZ)...

I don't see the point of authorizing direct access from the outside to the LAN when a DMZ is available.

Additionnal point : if you don't know what a reverse-proxy is or how to setup your firewall in order to do what was suggested before, I think you'd better get your setup checked by someone who knows.
Bad firewall (or reverse-proxy) setup can lead to serious issues.

[zadmincbc]

Hi All,
thank you for all your help. Actually I have a Cisco ASA 5510 managing connection between lan-dmz-internet. When I configured a webserver I put the database of the web app on the lan, the webserver on the dmz with a translation of the dmz address in the public one. I would like to do something similar with zimbra but as I can see zimbra web-app cannot be separeted from the zimbra-store. Does anybody know if doing this is possible and how to reach this target?
Thank you.