| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
03-09-2009, 09:15 AM
| | |  WebMail proxy
Hello
We are in the final process of evaluating Zimbra.
We are going to have 13 servers located around the world.
- One server will be Mailbox, LDAP Master and MTA server
- One server will be Mailbox and MTA server
- All other servers will be "Mailbox Only" servers (i.e, they will send mail through the two MTA's).
(any remarks will be greatly appreciated in case this approach is wrong...)
All servers will be behind NAT and only the two MTA's will have public IP's (also behind NAT).
We would like users in the "Mailbox Only" servers to access WebMail when out of the office, but we don't want to assign a public IP for every server (for security reasons). Only the MTA servers should have public IP's.
If possible, we would like "Mailbox Only" server users to access their WebMail through one of the MTA servers, since we want only the MTA servers to have a public IP.
At the moment, when a user of a "Mailbox Only" server types the MTA's public FQDN in the address bar, he/she is confronted with the login page, which is fine. But when they login they are redirected to their mailbox server's WebMail page. Since that server has no public IP they get a blank page.
Can Zimbra serve as a "WebMail proxy" and allow "Mailbox Only" server users to connect from the outside through another server which does have a public IP?
Thanks.
(hope I didn't cause too much confusion  )
Last edited by ECB; 03-09-2009 at 09:18 AM..
|
03-09-2009, 09:23 AM
| | |
Quote:
Originally Posted by ECB  (any remarks will be greatly appreciated in case this approach is wrong...) | IMHO it is wrong for (at least) four reasons :
1. ZCS is designed to be "centric", everything in one place and the ZWC needs very low bandwidth.
2. mailbox servers needs MTA to send/receive email even between them : either you put MTA server in each location (with their own LDAP replica or it's useless) or, if you want your "abroad" mailbox servers to use the "center" MTA, then you'd rather keep all the users centered...
3. LDAP write can only be made (yet) to the master LDAP (not the replica)
4. backup... With servers "aboads", you also need to put a full backup infrastructure in each location. Quote:
Originally Posted by ECB Can Zimbra serve as a "WebMail proxy" and allow "Mailbox Only" server users to connect from the outside through another server which does have a public IP? | zimbra-proxy is designed for this, as long as it "sees" all the mailbox servers.
The problem is, if you uses it the ways it's supposed to be users, users all arround the world should also use it from inside the company.
You can not have (at least) documents/briefcase/password change working both through zimbra-proxy and with direct access to mailbox servers.
Another good reason to keep all servers at the same place...  |
03-09-2009, 11:54 AM
| | |
Quote:
Originally Posted by Klug 2. mailbox servers needs MTA to send/receive email even between them : either you put MTA server in each location (with their own LDAP replica or it's useless) or, if you want your "abroad" mailbox servers to use the "center" MTA, then you'd rather keep all the users centered... | The reason we need a local server in each branch is that if the internet connection goes down, the entire office loses email access, as well as all other services ZCS offers.
With a local server, users keep getting ZCS services and sending mails even when the line is down - the SMTP queue will hold the sent emails. When the internet connection is re-established, sent mails are automatically transferred (this is in theory, we haven't yet tested this in our lab).
The beauty of this method is that when the line goes down users can keep working without interruption and the whole process of mail being held and then transferred is completely transparent to them.
Another reason is that users transfer large attachments between offices and we want the emails with the attachments to be accessed locally and not through the internet, lowering strain on the line and the server.
Also, thanks to Zimbra's design, users can even access directory data when the connection to the LDAP master is lost. Quote:
Originally Posted by Klug 3. LDAP write can only be made (yet) to the master LDAP (not the replica) | This is already taken into account. And this is fine because the directory can still be accessed and that's what's important in case of LDAP master failure. Quote:
Originally Posted by Klug 4. backup... With servers "aboads", you also need to put a full backup infrastructure in each location. | We have already trained our users in the "secret ways"  of backup and they've been doing this for years with our current email system.
Moreover, with Zimbra it is possible (theoretically, we need to test this too...) to backup to remote directories, so we won't even need to bother our users with backup anymore. Quote:
Originally Posted by Klug Quote:
Originally Posted by ECB Can Zimbra serve as a "WebMail proxy" and allow "Mailbox Only" server users to connect from the outside through another server which does have a public IP? | zimbra-proxy is designed for this, as long as it "sees" all the mailbox servers. | As far as I understand from the manual, zimbra-proxy only supports POP3 and IMAP4. Quote:
Originally Posted by Klug The problem is, if you uses it the ways it's supposed to be users, users all arround the world should also use it from inside the company.
You can not have (at least) documents/briefcase/password change working both through zimbra-proxy and with direct access to mailbox servers | I'm not sure I understand what you're saying here. Can you elaborate?
Thanks very much. |
03-09-2009, 12:23 PM
| | |
Quote:
Originally Posted by ECB The reason we need a local server in each branch is that if the internet connection goes down, the entire office loses email access, as well as all other services ZCS offers. | But unable to send mail (even to each others) unless there's a MTA + LDAP (replica). Quote:
Originally Posted by ECB The beauty of this method is that when the line goes down users can keep working without interruption and the whole process of mail being held and then transferred is completely transparent to them. | No, unless there's a MTA + LDAP (replica). Quote:
Originally Posted by ECB Another reason is that users transfer large attachments between offices and we want the emails with the attachments to be accessed locally and not through the internet, lowering strain on the line and the server. | That's right. Quote:
Originally Posted by ECB Also, thanks to Zimbra's design, users can even access directory data when the connection to the LDAP master is lost. | As long as they're already logged on...
Unless, once more, you have a LDAP replica. Quote:
Originally Posted by ECB This is already taken into account. And this is fine because the directory can still be accessed and that's what's important in case of LDAP master failure. | How can you get the directory (GAL, user/password validation) if you don't have a local LDAP replica and can not access the master LDAP ? Quote:
Originally Posted by ECB Moreover, with Zimbra it is possible (theoretically, we need to test this too...) to backup to remote directories, so we won't even need to bother our users with backup anymore. | As long as "remote directory" stays local the office.
Your point about "backup magic" is right but I do not trust local backups. Quote:
Originally Posted by ECB As far as I understand from the manual, zimbra-proxy only supports POP3 and IMAP4. | That was perdition, that was in 4.x ZCS...
zimbra-proxy is now nginx and proxies http(s), pop3(s) and imap4(s).
Which manuals have you checked? Quote:
Originally Posted by ECB I'm not sure I understand what you're saying here. Can you elaborate? | If you setup zimbra-proxy (even only one for external access), you'll have to setup all your mailbox servers in reverse-proxied mode.
As soon as they are in reverse-proxied mode, you need to setup zimbraPublicServiceHostname (and zimbraPublicServiceProtocol and zimbraPublicServicePort) for each domain to suit the proxy FQDN.
And as soon as you've setup these, you've lost local access (ie direct access to the maibox server, not through the proxy) for some features (listed in my previous post).
There are way arround this (using local zimbra-proxy with local DNS records) but it's quite complex (and goes against the initial simple idea).
I also guess the "internet" access to user account will be only be very low and not frequent. Or you'll hit all the issues you wanted to avoid by having the mailbox servers spread arround the world.
Last edited by Klug; 03-09-2009 at 12:25 PM..
|
03-09-2009, 12:48 PM
| | |
All servers in our design are LDAP replicas. Thought that was a given, my mistake. Quote:
Originally Posted by Klug But unable to send mail (even to each others) unless there's a MTA + LDAP (replica). | But if the non-MTAed servers have a direct connection to the MTA servers, can't they send mail to each other through the MTAs? Quote:
Originally Posted by Klug As long as "remote directory" stays local the office. | You've lost me there - is it, or is it not possible to back up to a remote directory? I'm new to Linux, so be gentle... Quote:
Originally Posted by Klug That was perdition, that was in 4.x ZCS...
zimbra-proxy is now nginx and proxies http(s), pop3(s) and imap4(s). | So to cut a long story short, the answer to my original question is YES. Quote:
Originally Posted by Klug As soon as you've setup these, you've lost local access (ie direct access to the maibox server, not through the proxy) for some features (listed in my previous post). | Thanks for the tip. Quote:
Originally Posted by Klug There are way arround this (using local zimbra-proxy with local DNS records) but it's quite complex (and goes against the initial simple idea). | I don't care if it's complex as long as I can make it work. Quote:
Originally Posted by Klug I also guess the "internet" access to user account will be only be very low and not frequent. | That is correct.
Last edited by ECB; 03-09-2009 at 12:50 PM..
|
03-10-2009, 01:53 AM
| | |
Quote:
Originally Posted by ECB But if the non-MTAed servers have a direct connection to the MTA servers, can't they send mail to each other through the MTAs? | Two users on the same mailbox server won't even be able to send mails to each other if there's no MTA available for this server. Quote:
Originally Posted by ECB You've lost me there - is it, or is it not possible to back up to a remote directory? I'm new to Linux, so be gentle... | It is, of course.
But to prevent yourself from the "lost line" issue, you can only backup in the same location that your server is. This means if there's a problem in this location (and both server and backup are in this location), you might loose all data. Quote:
Originally Posted by ECB I don't care if it's complex as long as I can make it work. | Are your users using local DNS in each location ? |
03-10-2009, 02:48 AM
| | |
Our users don't have local DNS servers at the moment, but they will. Zimbra is too dependent on DNS and we prefer each server to run a DNS service as well. |
03-10-2009, 05:25 AM
| | |
I urge you to do some lab tests about what you want to deploy... |
03-11-2009, 04:13 PM
| | Project Contributor | |
Posts: 55
| |
Have you considered the problem regarding the usage of the protocol LMTP between MTAs and mailtores? I think that the Local Mail Transport Protocol is not so good over wan......
Last edited by anteos; 03-12-2009 at 03:29 AM..
|
03-12-2009, 12:50 AM
| | |
I am not aware of such a problem - can you elaborate please?
Thanks!
Last edited by ECB; 03-12-2009 at 03:31 AM..
| | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
