To Proxy or Not To Proxy?

[nimble7]

I have my Zimbra server up and running and I LOVE IT. The webmail access does everything I could ever ask for and more.

While the documentation does a good job in walking through setup, I'm looking for resources on how to protect my data on the box. Should I set up a proxy for it? (The box is currently in my DMZ). Is that a bad spot for it? Besides a firewall, what else should I consider?

What's a good place for me to start learning how to secure this box?

Thanks!

[Krishopper]

The first place to protect it would definitely be the firewall.

The proxy service has had issues with http/https in the past, and always hasn't been the most recommended way to do things, but it does work. You could install MTA's and Proxy (web/pop3/imap) in the DMZ, and keep the Zimbra mailbox and directory servers in the private region of your network. I'm not sure how many servers you have to work with, or what your security requirements are (for example, if you have to deal with audits). But typically just getting a firewall set up is usually enough.

[nimble7]

Thanks Krishopper. I'm a guest on a corporate network, but I'm the only user and the only mail account on the box. I don't have to worry about audits, but I definitely need to protect the data.

Their firewall blocks everything but 25, 443, 587, and 993. I Iptables off everything except for 25 so that I can only access them from trusted IPs. (There are certainly advantages of being the only user on the box)

I'm curious what added benefit a proxy would have. Also, I'm denying traffic from other boxes in the DMZ, so is there an advantage to putting a proxy in place and moving my mail server back in to the private network?

Thanks!

[Krishopper]

The benefit of the proxy is that it will proxy POP/IMAP traffic to the proper mailbox host, so you can move mailboxes around (more of a network-edition feature) and you don't have to always change around the hostnames which people connect to.