[SOLVED] Trouble with Web Client Access - from public hotspots

[tribear]

Hi All,

Zimbra is working well sending and receiving mail from inside our network. I am now testing to be sure our outside users of the Web Client can connect and do business from public hotspots. ex. internet cafe. I am having trouble with the web client connecting.

Example: Connecting from McDonalds - I can ssh in fine, connect using http to the admin console fine, but have trouble connecting with the Web Client even with port 443 and 25 open.

I have read the other posts on "ports" for zimbra and have the following ports forwarded through our firewall to the zimbra server on our private network:

SSH 22 (just in case in I need it - root access only)
Postfix 25 (open just for argument sake)
Postfix 2525 (DynDNS Mail Hop - around the ISP's block)
HTTP 80
POP3 110
IMAP 143
LDAP 389
HTTPS 443
IMAPS w/ SSL 993
POPS w/ SSL 995
For Zimbra Admin access 7071

Any tips on resolving this issue?

Steve

[phoenix]

Quote:

Originally Posted by tribear

Zimbra is working well sending and receiving mail from inside our network. I am now testing to be sure our outside users of the Web Client can connect and do business from public hotspots. ex. internet cafe. I am having trouble with the web client connecting.

What sort of trouble, exactly, are you having? I assume you have a Split DNS set-up so is your DNS setting on your LAN correct?

Quote:

Originally Posted by tribear

Example: Connecting from McDonalds - I can ssh in fine, connect using http to the admin console fine,

I hope you mean https on port 7071?

Quote:

Originally Posted by tribear

but have trouble connecting with the Web Client even with port 443 and 25 open.

Describe the problem.

Quote:

Originally Posted by tribear

I have read the other posts on "ports" for zimbra and have the following ports forwarded through our firewall to the zimbra server on our private network:

SSH 22 (just in case in I need it - root access only)
Postfix 25 (open just for argument sake)
Postfix 2525 (DynDNS Mail Hop - around the ISP's block)
HTTP 80
POP3 110
IMAP 143
LDAP 389
HTTPS 443
IMAPS w/ SSL 993
POPS w/ SSL 995
For Zimbra Admin access 7071

This is too many ports (depending on your requirements) but we'll cover that later.

[tribear]

Basically,
I can connect to my network- (using ssh on port 22 for admin work)
I can connect with Zimbra Web Admin console - (using port 7071)
I can not get the Zimbra Desktop client to connect to my server inside/outside my network - we can talk about that later.

** I can not connect with Zimbra using Web client from outside my network using port 25 (blocked by ISP) or port 443 - its just not connecting.

The other ports are open to test whether various clients can connect to deliver and retrieve mail: eg. Thunderbird Imap or Evolution IMAP etc.
Ports that are open now:
pop3 w/o ssl
imap w/o ssl
HTTP for normal Web client access
HTTPS for secure Web client access (if I need it to make it work)
LDAP - I read it had to be open for client authenication - maybe not.

So lets focuse on the WEB client's problem with connecting from outside the network.
The Admin console works.... so I am baffled as to why the Web client fails.
I know port 25 is blocked by isp but 443 should be available for connecting.

Your thoughts. If you want IM me at "glider7808" no quotes needed.

Steve

[phoenix]

Quote:

Originally Posted by tribear

So lets focuse on the WEB client's problem with connecting from outside the network.
The Admin console works.... so I am baffled as to why the Web client fails

Yes, but what do you mean by 'fails' and what happens? Does it time out, do you see the login page or any other error? Try a telnet from an external address to port 443, if you get no response then I'd suggest you gave a firewall problem. If you have port 443 forwarded to the LAN IP of your Zimbra server and its running in https mode (you've changed that, haven't you?) then you should have no problem connecting. When you connect to your Zimbra server it's either http or https that's available and not both.

[tribear]

Quote:

Originally Posted by phoenix

Yes, but what do you mean by 'fails' and what happens? Does it time out, do you see the login page or any other error? Try a telnet from an external address to port 443, if you get no response then I'd suggest you gave a firewall problem. If you have port 443 forwarded to the LAN IP of your Zimbra server and its running in https mode (you've changed that, haven't you?) then you should have no problem connecting. When you connect to your Zimbra server it's either http or https that's available and not both.

To answer your questions - The other night I never even saw the log in screen for the web client but did get all the way through log in with the Admin console.

Bill - The https setting change needed for the Web Client was something I did not know needed to be done. I assumed Zimbra would "see" me in ldap and allow the connection through the appropriate port (of course port 25 was blocked). So that failed completely and 443 was not working because I had not made the https change you suggested.

So, I made the change and will go to the field and test it today.

For today's test - the only ports open will be:
2525 - dyndns mail hop (Relay MTA for external delivery)
443 - Web Mail Client
143 - IMAP Mail Client

I'll have an update after the field test.

Steven

[tribear]

Bill,

After testing today I still can not connect from outside on port 443 using the Web Client or Telnet to it either. I can telnet to standard ports 110, 143 & 2525 (used by dyndns mail hop). I checked - 443 is open on first firewall (port forwarded) to internal router to the zimbra mail server just like the others.

I was curious to see what kind of changes happened at the MTA after running the https command to setup 443 for web client and looked at the Postfix Master.cf.ini and noticed one change that I don't understand. Postfix should be listening on 2525 for DynDns and nothing else - except maybe 443? and saw a line for port 465?
What is that about?

So I added 443 and still could not telnet to it; I must be missing something simple?

This is what is a snip from the config concerning smtpd
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
2525 inet n - n - - smtpd
465 inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLev el%%

Steve

[phoenix]

When you changed the mode to https, did you restart zimbra? Can you telnet to port 443 and reach it via a browser from inside your LAN?

Port 465 in the configuration file is for the Submission port, that's the correct port that a 'fat client' should us to submit mail for relaying/delivery and not port 25. The use of Port 465 has been deprecated and Port 587 is the correct port to use, this is automatically set in Zimbra 6.x but needs to be added in prior versions.

Quote:

Originally Posted by tribear

I checked - 443 is open on first firewall (port forwarded) to internal router to the zimbra mail server just like the others.

What are you using for for your Firewall (IPTABLES or some other device)? Is there anything else between the firewall and your Zimbra server? All I can suggest is that the firewall is blocking the connection or you have SElinux enabled which might be causing this sort of problem (but that would also cause problem for LAN connections).

Could you update your forum profile with the output of the following (so we know which version you're running):

Code:

zmcontrol -v

[tribear]

Bill,

Quote:

Originally Posted by phoenix

When you changed the mode to https, did you restart zimbra? Can you telnet to port 443 and reach it via a browser from inside your LAN?

Yes I restarted Zimbra
"telnet to port 443" NO - tried outside static IP and Internal IP address of server.
"reach it via a browser from inside your LAN?" YES, Web Client works fine.

Quote:

Originally Posted by phoenix

The use of Port 465 has been deprecated and Port 587 is the correct port to use, this is automatically set in Zimbra 6.x but needs to be added in prior versions.

Since I am using 6.x should I change this port to 587?

Quote:

Originally Posted by phoenix

What are you using for for your Firewall (IPTABLES or some other device)? Is there anything else between the firewall and your Zimbra server?

IPTables is disabled for this server - I use two hardware routers for security, port forward using my VOIP/Firewall router to my private Lan router to virtual servers on the private lan. Note: I do have my own DNS running on my private lan and is visible from outside. I maintain both external and interviews in my DNS config and the MX resolves fine.

Quote:

Originally Posted by phoenix

- SElinux enabled which might be causing this sort of problem (but that would also cause problem for LAN connections).

Selinx is set to permissive so I can track issues without killing off access to things it complains about.

Quote:

Originally Posted by phoenix

Could you update your profile

It has been updated.
Using 6.0.2_GA_1912.RHEL5_20091020185714 RHEL5 FOSS edition

[phoenix]

Even running SElinux in permissive mode can cause problems, can you disable it completely (it is recommended not to have it enabled on the Zimbra server) while you're testing this problem?

If you want to use a Submission port then 587 would be the correct one to use.

I can only suggest that you check the rules in your routers for port 443 and make sure they're set the same as one of the ports that can be accessed. Let me know what happens when you've disabled SElinux. It also makes no sense that you can access the server via https on the LAN and not telnet to that port.

[tribear]

Quote:

Originally Posted by phoenix

Even running SElinux in permissive mode can cause problems, can you disable it completely (it is recommended not to have it enabled on the Zimbra server) while you're testing this problem?

OK it is disabled - I rebooted and restarted zimbra.

If you want to use a Submission port then 587 would be the correct one to use.

I will make that later after testing the first change.

I can only suggest that you check the rules in your routers for port 443 and make sure they're set the same as one of the ports that can be accessed. Let me know what happens when you've disabled SElinux. It also makes no sense that you can access the server via https on the LAN and not telnet to that port.

Here are the results of telnet sessions from outside the network to domain static IP:
port 443 fails and 2525 works fine. Both are open on both routers.

[root@newbee steven]# telnet xx.xxx.xxx.xx 443
Trying xx.xxx.xxx.xx...
Connected to adsl-074-167-251-030.sip.rmo.bellsouth.net (xx.xxx.xxx.xx).
Escape character is '^]'.
Connection closed by foreign host.
[root@newbee steven]# telnet xx.xxx.xxx.xx 2525
Trying xx.xxx.xxx.xx..
Connected to adsl-074-167-251-030.sip.rmo.bellsouth.net (xx.xxx.xxx.xx).
Escape character is '^]'.
220 mail1.sprague-enterprises.com ESMTP Postfix

Here is the results of telnet from inside the private network:
[root@newbee steven]# telnet xx.xxx.xxx.xx 443
Trying xx.xxx.xxx.xx...
Connected to mail1.sprague-enterprises.com (xx.xxx.xxx.xx).
Escape character is '^]'.
Connection closed by foreign host.
[root@newbee steven]# telnet xx.xxx.xxx.xx 2525
Trying xx.xxx.xxx.xx...
Connected to sprague-enterprises.com (xx.xxx.xxx.xx).
Escape character is '^]'.
220 mail1.sprague-enterprises.com ESMTP Postfix

Suggestions

Steven