Request for Advice on Install

[mar9999]

I'm helping a group to install their first mail server. I'm of course using Open Source Zimbra, as it rocks! I have set up an internal working test server on fedora core. Here are their details, along with the gotchas:

• There are ten group members at present.
• They run Windows pcs, and are in a Server 2003 Active Directory domain.
• They share one email address known to the outside world.
• Their individual workstations AREN'T connected to the internet; only one pc has internet access, for security reasons.

They presently perform the hoop-jumping for the above using floppies and sneaker-net. So, the existing admin person is quite willing to continue distributing the mail to the right party internally and collecting it for sending.

What I'd like to know are suggestions as to how to automate/simplify the mail in and out for this, if anyone has any. I thought perhaps a second MTA which lived on the machine with internet access, and some scheme of manually migrating its files to the internal MTA running where zimbra lives, but I don't know the details, or how feasible this would be.

Any help would be most appreciated!

Anthony

[jholder]

Hi Anthony, and welcome to the Zimbra Forums!
We're glad you like Zimbra.

You want to simplify in and out access. I'm a little confused on this.
Is not connecting to the net possible? What about intranet?

Personally, I like (Brace yourself) Windows Domain/DNS/AD
It really does make things easier. So, that's not a bad thing.

What would you like? Once you get a grasp on that, we can tell you the easiest way to do it.

[mar9999]

Thanks for replying. Sorry I wasn't clear [I knew what I wanted, guess that telepathy thing isn't kicking in yet...]

No, internet access for all isn't in the [near] future for them. It's a question of security, and paranoia, I guess. There's one machine with access. And only a couple people who have access to it. This might eventually change, but not for a while...

I'd like to make some kind of setup where a human was the go-to man between the internet computer and the intranet computers. Mail would spool on the internet computer, from their email provider (they currently use POP3 connection and outlook to gather email; I'd like to eliminate that). The human would transfer them manually (via usb key or something) to intranet machine, This intranet machine would have zimbra installed, and would 'see' the files, scan for viruses, etc., and pass them as messages to a designated email account. Then that human would distribute via Zimbra as needed. And similarly in the opposite direction. All they'd do would be run a script which would grab the files from one side, and put onto the transfer media, and then another script on other side would move on.

Here's what I don't know about the above:

• Can a Zimbra MTA talk to an email server via POP3 or something to gather emails? Or, am I trying to make things difficult?
• Can the files that 'spool' via the MTA (which constitute emails and their attachments) be manually transferred to another machine, and would that other machine then 'see' them and process them into Zimbra?

To summarize, instead of two MTA's talking to each other via a TCP port, there'd be no direct connection between them. The data could arrive somewhere, and then be handled, if that's possible.

Hopefully that helped clarify what I'd like. Or, perhaps it made things worse. Let me know.

Anthony

[mar9999]

I should have added, as far as intranet goes, all users would have free access to Zimbra, and send email to and fro between each other with abandon. The security sticker is no direct access to internet, and vice versa.

Anthony

[jholder]

I think what you're looking for is relaying.
Go ahead and take a look in the wiki for this.

It can be difficult, but if you have any trouble, let us know.

[mar9999]

I think relay is what I'm after, too!

I have a [ignorant] question: If mail is collected on the server they use now, and access via POP, how do I setup the MTA to access that server and get their mail? Can an MTA connect via POP to extract mail?

Perhaps my ignorance is more fundamental, but since they don't own the server that manages their mail, I don't know how I interface to it, other than POP or IMAP...But these are client interfaces, and I'm putting another server into the pipe, thus I'm confused.

Hopefully you understand my confusion and can help? If you don't, let me know and I'll try some more.

Anthony

[russgalleywood]

Hi Guys,

I am always eager to help if I can, misguided yes, but certainly eager!

This thread seems interesting but a little confusing.

I thought I might let you know our set-up and see if it is of any help at all.

Firstly, as far as I can tell you are saying that your Zimbra server and all the PC's accessing it are not connected to the Internet except through one PC that has an Net connection.
I was just wondering, how do the PC's send out their email if they are not connected to the Net? Does it go out through the one 'Net' PC?

So you would need a machine to collect all the mail and then someone to physically transfer all the mail to the Zimbra server but is there really no way that the Zimbra machine could be linked through the internal network to a secure MTA server?
It's just that with our Network I have a SME Linux server which is already configured as an Mail and Firewall server and it simply forwards all mail to our Zimbra server.
Using this method, you don't have to allow any access to the outside world for all the PC's and it would be much easier to get the mail across.
The SME server is very secure if this is a serious concern, is easy to install and of course free!
And if you need to get mail from an external POP3 server then why can't the Zimbra server be the one connected to the Net and then just use the 'POP Accounts' section in Zimbra to download the mail?

Just a suggestion, sorry if I missed the point entirely!



Russ

[mar9999]

Russ,

Thanks for your reply, and you didn't miss the boat at all!

The folks have security concerns, and yes, only one pc, disconnected from rest of the intranet, has internet access at present. They use floppies and sneakernet to pass email to/from that machine, with lots of manual intervention.

I'm thinking of a plan b, where the internet machine has two nic cards, along with two nic's for the zimbra internal server, and configuring just the email to pass through...as I haven't found another way to do it that isn't as cumbersome as their existing scenario. I think separate nics, with no routing between them, and the internet machine being a hardened linux box, would suffice to still secure things. I would appreciate any feedback on whether this would/could be totally secure: security isn't my expertise unfortunately.

Anthony

[russgalleywood]

Well at least I wasn't miles off then!

I have some ideas about your situation but I think I'll wait and see what the Zimbra Guys say first and I'll have a think about it in the meantime.

Cheers

Russ

[phoenix]

Well if you're after a really simple set-up with no internet access for the local PCs then maybe the following would be worth thinking about.

One machine connected to the internet (as a router/firewall) with two NICs, one for the connection and the second connected to a switch (for the LAN). The LAN subnet (for example) is 192.168.1.x - Zimbra server on 192.168.1.10 and other PCs with dymanic IPs plugged into the switch. In the firewall you can block outbound traffic from the LAN PCs and allow outbound SMTP traffic for the Zimbra server. ALl PCs then have access to their email and nobody can get access to the internet. Thatr does depend on the admin setting it up correctly and enforcing the security.

The wonderful piece of firewall software that can achieve this is Endian Firewall (free, of course) and it's available from http://www.endian.it - admin for the firewall is by a browser interface and it's a doddle to set-up on an old PC.