[SOLVED] Connecting Zimbra to the outside world...

[mclark2112]

Please have mercy on me, I am new to running Linux on my own box. I have run some dedicated servers, but never had to mess with the DNS side, as the hosting company always took care of that.


First my install:

Quote:

My Network domain is mydomain.com (mydomain is fake, but the .com part is real (not my design))

Windows 2000 network, 2000 machine handling DNS, all static DHCP is not running

We have an internal 10.x.x.x ip scheme, which I set up on the Zimbra server.

The zimbra server is called mailhost.mydomain.com

The mail sever is running great, everything works, I can pop and IMAP to my heart's delight. I set up an alias so that http://webmail/ points to the web client, and it works fine. Internally that is.

Now I want to try the next step. I want to connect to the outside world with my Zimbra mail. We have a dedicated connection (Comcast) to the internet that is firwalled (SonicWall) and we were given 5 external IPs.

My question is this, should I have used one of those IPs to setup my Zimbra box? Or can I somehow route the external IP to my internal IP, maybe with the SonicWall?

Also, our external domain name is slightly different than our internal domain name, will that matter, or does the MX record take care of that, since it is all IP driven?

[rsw686]

You need to setup NAT translation on the SonicWall to forward the appropriate ports to your Zimbra box. Setup a A record in the DNS for your domain for mail and smtp to point to your external zimbra IP. Then create an MX record that points to smtp.yourdomain.com

[mclark2112]

Thanks for the super quick response!!!

Quote:

You need to setup NAT translation on the SonicWall to forward the appropriate ports to your Zimbra box.

This would be for all the Zimbra ports? 22,25,80, etc? I can have that done (I don't control the Sonicwall).

Quote:

Setup a A record in the DNS for your domain for mail and smtp to point to your external zimbra IP.

This would be done on my 2000 DNS, not bind or anything on the Zimbra box, correct?

Quote:

Then create an MX record that points to smtp.yourdomain.com

yourdomain.com being the external web domain that we have, not our internal 2000 domain. Should I have named my Zimbra box this domain name? Does it even matter?

[phoenix]

You need to forward port 25 through the firewall and whichever port you're using for the Web UI and for submitting mail (submission port) from external mail clients (Thunderbird/Outlook etc.). I'd suggest you use 443 (https mode) for the Web UI and port 587 for the submission port.

You will need DNS A & MX records for your external domain name and DNS A & MX records pointing to your LAN IP inside the LAN using whichever DNS server you like.

I usually recommend naming your internal domain the same as your external domain, it generally saves any confusion for email addresses and server names.

[rsw686]

Like phoenix was saying you need to setup split DNS.

When somebody goes to mail.yourdomain.com or smtp.yourdomain.com it queries DNS and returns the IP address associated with the record. When a mail server wants to send email to your domain it looks up the MX record which points to the A record for your mail server.

Externally clients need to see your external IP. On your external DNS create the A and MX records.

Internally you want your clients to use the internal IP of your mail server. In your 2000 DNS create the same A and MX records but point them to your internal IP. A number of corporate firewalls don't support NAT reflection so if you go to your external IP internally nothing will happen. Even if it does work it places an extra load on the firewall and increased latency.

[mclark2112]

How does Zimbra send to the outside world? Does Zimbra have to know how to get out of my network? Or is the opening of the ports good enough.

I do have the internal A and MX records setup and internal mail works great.

And the SPlit DNS is setup on the Zimbra Box as per the wiki? Which I didn't fully understand, but I will read it again...

[rsw686]

Zimbra gets out just like any other computer on your network does. The only thing you need to keep in mind is what NAT pool it is going out of. On the Sonicwall you want it to make connections from the same external IP it is accepting connections from. That way your reverse DNS will match. Reverse DNS records are setup by your ISP.

In short externally nslookup externalip should match the nslookup yourdomain.com.

Split DNS is just a term. You setup DNS on your 2000 DNS server and whatever DNS server you use for your external domain.

[phoenix]

Quote:

Originally Posted by mclark2112

How does Zimbra send to the outside world? Does Zimbra have to know how to get out of my network? Or is the opening of the ports good enough.

You shouldn't need to do anything, just try sending an email to an external account (if you have a gmail or yahoo account try sending to them).

Quote:

Originally Posted by mclark2112

I do have the internal A and MX records setup and internal mail works great.

That's good.

Quote:

Originally Posted by mclark2112

And the SPlit DNS is setup on the Zimbra Box as per the wiki? Which I didn't fully understand, but I will read it again...

You can check your DNS with the following commands (run on the zimbra server):

Code:

cat /etc/hosts
cat /etc/resolv.conf
dig yourdomain.com mx
dig yourdomain.com any
host `hostname` <-- use that exact command with backticks not single quotes

Post the output in this thread if you want it checked.

[mclark2112]

OK it is comng together. Sorry I am so backwards on all of this. I just sent an email out to my gmail account and it worked, cool.

So next step is with the ISP and the consultant that leases us the sonicwall. Life is gonna be good.

BY the way, I love the Zimbra server, it rocks. The Admin is very straight forward, and the web client is second to none. I only have about 75 users right now, so this will be the perfect solution for our company.

Thanks for all the help.

[dwmtractor]

Quote:

Originally Posted by mclark2112

How does Zimbra send to the outside world? Does Zimbra have to know how to get out of my network? Or is the opening of the ports good enough.

I do have the internal A and MX records setup and internal mail works great.

And the SPlit DNS is setup on the Zimbra Box as per the wiki? Which I didn't fully understand, but I will read it again...

This is an issue that confuses a lot of people. Some day when I have time I really need to write a new "SplitDNS for Dummies" article for the Wiki, because the current one assumes far more knowledge than it should (please understand I'm not calling you a "dummy" here, I get it).

Basically, you have half of what you need already, in that your Windows 2000 internal DNS is clearly giving the internal network the information it needs, or your Zimbra installation would have crashed & burned already. But those of us on the outside who send mail to you, never see your Windows 2000 DNS. We see an external DNS--whether you host it or whether your ISP or DynDNS or other provider does--that points our queries of yourdomain.com to the public IP address which you haven't yet set up, but which will DNAT to your internal Zimbra IP. It's this public DNS that needs to have A and MX (and preferably PTR and RDNS) records set up so that we can send you mail.

I would underline what Phoenix just said that you really want the same domain both places; if people "out here" were to see that your outgoing email comes from a different domain than the one we send to (which would be the case if public and private domains are different), then many spam filters would reject the message.

Likewise, have whoever configures your Sonicwall set up a SNAT rule for outgoing traffic from your Zimbra box; otherwise, the outgoing traffic will use the existing generic NAT rule, and sent mail will come from a different source IP than the one that shows up on a reverse DNS lookup (which would show the mail server's public IP). That, too, will get you into spam folders. . .or blacklists.