Zimbra inside a LAN

[fernandoflorez]

Hi guys,

I'm trying to make a client of me switch from exchange to zimbra.

I had a chat with the tech guy this morning and he mentioned that he wants the mail server inside their lan network and have a relay on their DMZ for security reasons. I don't like this architecture but i offeref to do some research on this.

Any thoughts? Smth you guys would recommend? What are the +/- of doing this?

Thanks!

[soxfan]

We've been running Zimbra in the configuration you've described for a few years now without any issues. Before moving to Zimbra we had the email gateway setup and left it in place after the move. The gateway is using a lot of the same software that Zimbra uses (postfix, amavisd, spamassassin, clamav), so in some ways it is probably redundant. I still kind of like the extra layer of security that is provided.

I don't know for sure, but I think this would be a somewhat common setup with Zimbra. What are your concerns?

[fernandoflorez]

The gateway will require to know which users exist or not for the domain, right? Otherwise it will relay non existent users.

Are you using zimbra also as a gateway? Or are you using smth custom?

Thanks,

[fernandoflorez]

The thing i don't like of having the mail server on the lan is that if any pc gets infected by a virus it may attack the mail server and start sending spam (lan is on the trusted networks).

The thing is that i need a way to demostrate it to this guy so any other vulnerabilities will be cool.

Thanks!

[soxfan]

Quote:

The gateway will require to know which users exist or not for the domain, right? Otherwise it will relay non existent users.

Are you using zimbra also as a gateway? Or are you using smth custom?

Our Internet email gateway does not know about all our users. You are right; it does relay non-existent users. But then they are rejected by the Zimbra server. Net effect is the same.

The email gateway is not running Zimbra. Like I said, it was setup prior to us using Zimbra and we kept it in place. I used one of the many "recipies" out there on the 'net for setting up an Internet email gateway using open source tools.

Quote:

The thing i don't like of having the mail server on the lan is that if any pc gets infected by a virus it may attack the mail server and start sending spam (lan is on the trusted networks).

Oh, so now I see. You are concerned about having the email server on your LAN for security reasons. I thought you were more concerned with having the extra gateway server to worry about. Some of your concerns here are probably valid. We did run into a situation similar to what you are describing with the virus. I'm not really sure it would have been avoided if the Zimbra server wasn't on our LAN.

[NOZIL]

You can use zimbra proxy (nginx proxy in fact) to do this.
Just put it in you dmz, then migrate your zimbra server(s) in the lan.

+ Your zimbra server containing your precious data (e-amil and so on) is not directly visible from outside, where ugly bad hackers lives That's the main purpose of a reverse proxy.

+ You don't charge your firewall with traffic when users from lan want to access zimbra. (you'll have to create a "fake" zone in your internal dns to redirect lan users to the lan ip of you zimbra server)

- You have another zimbra server in your architecture (zimbra proxy)

[fernandoflorez]

Thanks Nozil, that will work perfectly. Can i have zimbra's antispam and antivirus running on the proxy server?

Cheers!