Zimbra's Default Behaviour over LAN

[Ivand]

Hello

Im new to Zimbra and i'm gonna install it for a midsize business (150-200 accounts). Im just worried because of the characteristics of our setup.

It is a rather far office (20kms away from the nearest city) and because of that we cant get hi-speed internet.

I want to be able to send emails to the outside world, not only the domain (companyname.com).

So the question is, is it possible for emails sent to user@companyname.com to be send over the lan, not the Internet connection, and only have emails sent to other outside domains (user@gmail.com) leave the LAN?

[imx]

Anything that is local to the server wont leave the server, its pointless sending mail out to the wider internet only for it to come back again

However, bear in mind that you cant control spammers - or certainly not their use of your bandwidth. If bandwidth is limited, id look in to rate limiting connections via iptables, to prevent unnecessary hammering of your server; although youre still at the mercy of the spammers themselves.

Why not colocate the server? Depending on the the mail traffic/users im sure the web gui based traffic would be lower that running the server locally.

[Ivand]

so, basically if user a sends an email to user b (both in the same LAN), other than to resolve the domain, the email doesnt leave the LAN?

I dont have a problem with bandwidth consumption, the problem is speed. I dont think i will have a spammers problem since most emails will be for internal use only.

Also, colocation is not an option since is a government institution and the security guidelines mandate that emails cant be hosted anywhere else other than the institution

[phoenix]

Quote:

Originally Posted by Ivand

so, basically if user a sends an email to user b, other than to resolve the domain, the email doesnt leave the server?

That would be correct.

[imx]

Unfortunately, you cant control your users or where their email addresses end up - hence spammers will always pick up email addresses.

But, that aside, youre going to have to open port 25 ingress to your mail server - unless you use some intermediate processing solution elsewhere, but youve said thats not an option - spammers will just nail port 25, hence my suggestion to rate limit connections per source IP in iptables.

Also, using something like fail2ban, to process the zimbra/postfix log files to then silently drop any future ingress traffic from specific ip's where a postfix 554/550 error is given. I was seeing well over 300K a day of relay denied traffic, on a very small installation, fail2ban had this down to about 200 per day, instantly. Using the basic fundamentals of TCP, if you stop traffic prior to the initial 3 way handshake, ie all you receive is SYN not the subsequent ACK and traffic because your firewall is dropping it, your bandwidth requirements will drop substantially.

[Ivand]

also, is there any user policy to not allow an user to send emails to other domains other than the @companyname.com one?

[imx]

Google t'is your friend

Restrict sending to certain domains - Zimbra :: Wiki