[SOLVED] Mailbox Server Behind Firewall

[mattrat]

Hi There,

I have the following setup on our network.

INTERNET --> FIREWALL 1 --> Zimbra Front End --> FIREWALL 2 --> Zimbra Mail Store

I am getting mail flow down to the mail store, my only problem is the web interface. I get a 502 bad gateway error from nginx. If I connect directly to the mail store server, I can login.

I have changed our DNS records, so that the front end should be looking at firewall 2 to locate the mail server (port forwards are setup on firewall 2 to the mail store server).

I am thinking that I may be missing a port forward somewhere - but I could be wrong :\.

Any ideas\suggestions welcome.

Cheers,
Matt.

[uxbod]

Welcome to the forums

What have you set for the Public Service Hostname with the Admin GUI or you can check with

Code:

su - zimbra
zmprov gd yourdomain.com zimbraPublicServiceHostname
zmprov gs `zmhostname` | grep Port

[mattrat]

Hi uxbod,
Thanks for your assistance & the welcome

I grabbed this from the console.

zmprov gd yourdomain.com zimbraPublicServiceHostname gives:
#name

zmprov gs `zmhostname` | grep Port gives
zimbraAdminPort: 7071
zimbraImapBindPort: 7143
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraLmtpBindPort: 7025
zimbraMailPort: 0
zimbraMailProxyPort: 80
zimbraMailSSLPort: 0
zimbraMailSSLProxyPort: 443
zimbraMemcachedBindPort: 11211
zimbraNotifyBindPort: 7035
zimbraNotifySSLBindPort: 7036
zimbraPop3BindPort: 7110
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraRemoteManagementPort: 22
zimbraSmtpPort: 25

Cheers,
Matt.

[dwmtractor]

I may be guessing too much, but in similar settings where I've set these things up, the problem has been that although you're port-forwarding INCOMING traffic, your OUTGOING traffic is going from a different IP address due to the default NAT configuration for the router. For example, if your main public IP address is x.x.x.2, and you're using x.x.x.3 for your mail server (and port-forwarding its traffic to an internal ip), the outgoing traffic from the mail server needs to be SNAT translated to source from x.x.x.3 because by default the regular NAT rule will have it coming out through .2.

So set up an outgoing SNAT rule and see if that doesn't make it work.

[mattrat]

The firewall itself doesn't support SNAT rules. Is there something i can do on the mailbox server to "fake" an outgoing ip address?

[dwmtractor]

The firewall itself doesn't support SNAT rules. Is there something i can do on the mailbox server to "fake" an outgoing ip address?

No, I'm afraid that can only be done on the device that is doing the NAT service. If your router doesn't support SNAT (and many don't), you are left with only four choices:

1) Hang your mailserver on a truly public IP address (not recommended);

2) Change your current NAT rule so the necessary incoming ports (25 and 443 at the least) translate from your primary IP (not an alternate one) to the mail server; this allows the in- and out- packets to be on the same IP as well;

3) Put up with the current problems you have;

4) Change your gateway to one that can handle outgoing address translation as well as incoming.

[mattrat]

Thanks Dan,

What I have done so far is port forward http traffic through to the mailbox server.

I haven't checked POP3\IMAP, however webmail access seems to be working fine.

Do you see any security implications to leaving it this way (I imagine there is exposing the mail store)?

Cheers,
Matt

[dwmtractor]

Thanks Dan,

What I have done so far is port forward http traffic through to the mailbox server.

I haven't checked POP3\IMAP, however webmail access seems to be working fine.

Do you see any security implications to leaving it this way (I imagine there is exposing the mail store)?

Cheers,
Matt

I don't see a problem with this, Matt. The only way you could be more secure would be if you had a separate server for your mailstore from the one that handled your webmail, and that's normally only done by those of our users (and I am NOT one of them) who host really large installations that need to spread the load around. HTTP alone isn't going to compromise your server unless someone discovers a bug in Tomcat or related modules (I shouldn't think), and if they do I would be pretty confident that the Zimbra team would be all over it PDQ!

[mattrat]

Awesome, then it can stay this way for the time being

Thanks for all your help guys - appreciate it!

Cheers,
Matt.