| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
04-28-2010, 04:58 PM
| | |  [SOLVED] Mailbox Server Behind Firewall
Hi There,
I have the following setup on our network.
INTERNET --> FIREWALL 1 --> Zimbra Front End --> FIREWALL 2 --> Zimbra Mail Store
I am getting mail flow down to the mail store, my only problem is the web interface. I get a 502 bad gateway error from nginx. If I connect directly to the mail store server, I can login.
I have changed our DNS records, so that the front end should be looking at firewall 2 to locate the mail server (port forwards are setup on firewall 2 to the mail store server).
I am thinking that I may be missing a port forward somewhere - but I could be wrong :\.
Any ideas\suggestions welcome.
Cheers,
Matt. |
04-29-2010, 06:00 AM
| | |
Welcome to the forums 
What have you set for the Public Service Hostname with the Admin GUI or you can check with Code: su - zimbra
zmprov gd yourdomain.com zimbraPublicServiceHostname
zmprov gs `zmhostname` | grep Port
__________________  |
04-29-2010, 03:30 PM
| | |
Hi uxbod,
Thanks for your assistance & the welcome
I grabbed this from the console. zmprov gd yourdomain.com zimbraPublicServiceHostname gives:
#name
zmprov gs `zmhostname` | grep Port gives
zimbraAdminPort: 7071
zimbraImapBindPort: 7143
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraLmtpBindPort: 7025
zimbraMailPort: 0
zimbraMailProxyPort: 80
zimbraMailSSLPort: 0
zimbraMailSSLProxyPort: 443
zimbraMemcachedBindPort: 11211
zimbraNotifyBindPort: 7035
zimbraNotifySSLBindPort: 7036
zimbraPop3BindPort: 7110
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraRemoteManagementPort: 22
zimbraSmtpPort: 25
Cheers,
Matt.
Last edited by mattrat; 08-05-2010 at 12:39 AM..
|
04-29-2010, 03:47 PM
| | |
I may be guessing too much, but in similar settings where I've set these things up, the problem has been that although you're port-forwarding INCOMING traffic, your OUTGOING traffic is going from a different IP address due to the default NAT configuration for the router. For example, if your main public IP address is x.x.x.2, and you're using x.x.x.3 for your mail server (and port-forwarding its traffic to an internal ip), the outgoing traffic from the mail server needs to be SNAT translated to source from x.x.x.3 because by default the regular NAT rule will have it coming out through .2.
So set up an outgoing SNAT rule and see if that doesn't make it work.
__________________
Cheers,
Dan
|
04-30-2010, 10:10 PM
| | |
The firewall itself doesn't support SNAT rules. Is there something i can do on the mailbox server to "fake" an outgoing ip address? |
05-01-2010, 06:37 PM
| | |
Quote:
Originally Posted by mattrat  The firewall itself doesn't support SNAT rules. Is there something i can do on the mailbox server to "fake" an outgoing ip address? | No, I'm afraid that can only be done on the device that is doing the NAT service. If your router doesn't support SNAT (and many don't), you are left with only four choices:
1) Hang your mailserver on a truly public IP address (not recommended);
2) Change your current NAT rule so the necessary incoming ports (25 and 443 at the least) translate from your primary IP (not an alternate one) to the mail server; this allows the in- and out- packets to be on the same IP as well;
3) Put up with the current problems you have;
4) Change your gateway to one that can handle outgoing address translation as well as incoming.
__________________
Cheers,
Dan
|
05-03-2010, 01:58 AM
| | |
Thanks Dan,
What I have done so far is port forward http traffic through to the mailbox server.
I haven't checked POP3\IMAP, however webmail access seems to be working fine.
Do you see any security implications to leaving it this way (I imagine there is exposing the mail store)?
Cheers,
Matt |
05-03-2010, 09:36 AM
| | |
Quote:
Originally Posted by mattrat Thanks Dan,
What I have done so far is port forward http traffic through to the mailbox server.
I haven't checked POP3\IMAP, however webmail access seems to be working fine.
Do you see any security implications to leaving it this way (I imagine there is exposing the mail store)?
Cheers,
Matt | I don't see a problem with this, Matt. The only way you could be more secure would be if you had a separate server for your mailstore from the one that handled your webmail, and that's normally only done by those of our users (and I am NOT one of them) who host really large installations that need to spread the load around. HTTP alone isn't going to compromise your server unless someone discovers a bug in Tomcat or related modules (I shouldn't think), and if they do I would be pretty confident that the Zimbra team would be all over it PDQ! 
__________________
Cheers,
Dan
|
05-03-2010, 02:06 PM
| | |
Awesome, then it can stay this way for the time being
Thanks for all your help guys - appreciate it!
Cheers,
Matt. | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
