| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
12-23-2008, 02:58 PM
| | Intermediate Member | |
Posts: 19
| |  Zimbra HTTP remote access through DMZ
Hi all:
Currently we have a Sendmail-based mail system, in two separate servers:
1) LAN Server, with user mailhubs
2) DMZ Server, which acts as a relay MTA.
We're planning to deploy a Zimbra-based infraestructure with the following servers:
1) LAN Zimbra server: Zimbra mail Server + Zimbra LDAP
2) DMZ Zimbra MTA: relay in the DMZ zone.
Is it possible to access ZImbra server through Zimbra MTA in the DMZ zone via Internet? We need to provide web access to users through Internet, but we cannot open any port directly to the LAN zone, so access via DMZ server would be desirable .
Is Zimbra HTTP proxy a solution? If we deploy it in the DMZ Server, is it possible to configure it so that users can access Zimbra Server in the LAN zone through it?
Thanks in advance! |
01-09-2009, 09:26 AM
| | Intermediate Member | |
Posts: 19
| | Perhaps I've missed the forum again?
Maybe I'm asking a stupid question, or this forum is not the right place to ask it...
Could anyone give me some indication, please?
Thank you very much |
01-09-2009, 09:32 AM
| | |
Maybe this is an ignorant question but I'm not afraid of admitting my own ignorance. . .why not just have one Zimbra server in the DMZ which handles the whole load? If you have a DMZ, that obviously means you have some level of packet filtering, DNAT/SNAT, etc. available to you in your firewall/router, so just restrict what ports are routed from the public (or private) networks to your server and you should be fine. If I'm missing something from a security perspective, what is it that you are trying to accomplish by having your main Zimbra server on the LAN that you couldn't do with properly-designed packet filter rules in the DMZ?
As to your proxy question, I do not think that one Zimbra machine could act as proxy to a second Zimbra machine as you are describing. I believe you would have to set up a separate proxy server on your DMZ to accomplish this.
__________________
Cheers,
Dan
|
01-09-2009, 09:42 AM
| | Intermediate Member | |
Posts: 19
| | Re:
Well, the truth is that I had not thought about that... Until now we have the mailhub with mailboxes in our LAN because it's supposed to be the most secure zone; if the DMZ host is compromised (it's offering some more services, as http), a possible attacker could get access to every personal message. This is the scenario we try to avoid using two different servers in two different networks... I suppose if the DMZ host is really secured this should not be an issue, but... who is really secure nowadays? :-) |
01-09-2009, 10:18 AM
| | |
Quote:
Originally Posted by milesteg  Well, the truth is that I had not thought about that... Until now we have the mailhub with mailboxes in our LAN because it's supposed to be the most secure zone; if the DMZ host is compromised (it's offering some more services, as http), a possible attacker could get access to every personal message. | Remember a DMZ is a network, not just a host. You could have multiple servers on the DMZ and (assuming a sufficiently advanced firewall/router) still not allow one compromised machine to talk to another. Packet filtering, and DNAT/SNAT both provide for even tighter lockdown. Sure, if your Zimbra machine is compromised, it's possible that the hacker would have access to your messages, but if you only allow port 25, 443, (even 80), and maybe the secure IMAP/POP ports, access from the outside--even a compromised machine could be pretty tough to control. Quote:
Originally Posted by milesteg This is the scenario we try to avoid using two different servers in two different networks... I suppose if the DMZ host is really secured this should not be an issue, but... who is really secure nowadays? :-) | True of course, but as I pointed out above, it's not merely the security of your host that is an issue. Proper routing/firewall configuration provides a pretty substantial level of security on top of that.
I'm not saying that the further level of a mail server inside the LAN is not even more secure--obviously it is. I am questioning, rather, if that level of security is necessary. And if it is, I would recommend instead that your users who need webmail access from outside could first access your LAN via a secure VPN (good firewalls now offer SSL VPN instead of PPTP or L2TP even), then check their mail over the VPN.
__________________
Cheers,
Dan
|
01-09-2009, 03:35 PM
| | Intermediate Member | |
Posts: 19
| |
Well, VPN would do the trick, indeed; however, that would imply overloading users with vpn clients. I'd rather a HTTPS based system. What I'm looking for is something like Outlook Web Access with Microsoft Exchange. The back-end server would be in the LAN, with maximum security, and the front-end server (only mail relay and web access) would be in the DMZ zone. I'm afraid I must include a security level as high as possible, so perhaps using only one server for Zimbra in the DMZ would be my last resource, altough I don't discard it... so, what could we do in the line I suggest, without VPN? this is getting interesting  | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
