Proper Firewall configuration

[pavera]

I installed zimbra on centos 4.4. Everything was working fine. I then enabled the firewall on our network to block access to/from certain ports (basically I want port 25, 443, and 7071 to be able to access the system from the public internet. We may open POP3 and IMAP but that will be for later.

the system's fqdn resolves via DNS (to the public IP which is forwarded through the firewall), and it is in the hosts file so it should (and does) resolve to 127.0.0.1 from the local machine. However, once I enable the firewall, inbound mail gets stuck in deferred, with errors that a connection to the fqdn is timing out. I assume something is using DNS (instead of hosts file) to resolve the name, getting the public IP and trying to connect to some port on that IP through the firewall which then is blocked by the firewall...

If I change the DNS resolution of the fqdn to 127.0.0.1 and add another A record that resolves to the public IP then it all works. But I've got to think having a records resolve to 127.0.0.1 has to be a no no in some RFC (if you try to ping that a record it resolves to your local machine and you ping yourself...)

So the question is what ports are required to be accessible on the IP that the FQDN resolves to via DNS?

[phoenix]

Welcome to the forums.

If you are behind a NAT device then you need DNS A & MX records that resolve to the LAN IP of your zimbra server, it also sounds like your hosts file is incorrect. Please check the Quick Start Guide for the DNS & hosts file requirements. There are many threads in the forums and details in the wiki with DNS set-up details - check those items. We also recommend that you do not enable a firewall (or SElinux) on the Zimbra server itself.

[pavera]

I've tried to read through the forums, but basically from what you're saying, I either have to control my own DNS servers (so I can set up internal and external views), or I have to leave my entire zimbra box open to the world including the entire ldap directory?

I don't have my own DNS servers, so setting up views is not a possibility for me. I guess I could use this zimbra box as an internal DNS server... It also seems like a very strange requirement to disallow locking down a box as important as an email server with its own firewall especially when it is running all of my authentication services. I'd almost compare exchange favorably on the security front. Maybe I'll try to figure out a way to secure zimbra and post a how to.

[phoenix]

You can certainly run your Zimbra server behind a firewall and/or NAT router, I'm not saying you shouldn't, what I am saying is that running a firewall on the Zimbra server itself may cause problems. You may be able to get it running (there are several threads in the forums about it) but we don't recommend it. We don't have a requirement that your server is exposed to the internet, it can sit quite happily behind NAT and a firewall (my server does just that).

As I said earlier, if you are behind a NAT device then you will need to set-up a split DNS (described in the wiki) so that Zimbra (postfix) can resolve addresses correctly.

You haven't actually described your set-up so it's not clear (at least to me) where your server sits and whether you have a firewall on the Zimbra server.

[pavera]

My server is setup behind a firewall, so I will have to set up split DNS, I just don't have the hardware to really do that right, so I'm working on a solution.

I guess I just don't understand why some of the services in zimbra bind to localhost only (the ldap server, the mysql server) while others bind to both localhost and the public IP. It seems to me the only things that need to bind to the outside world in a default single server configuration are postfix on 25 and apache on 80, 443, and 7071. If this were the case, postfix should be able to communicate with whichever services it needs over localhost and it would be more secure. Unfortunately at some stage in email processing (antivirus? spam filtering?) postfix goes out and tries to connect to services on the "public" IP address.

It's all good I understand that its just a requirement of the system, and that's fine, zimbra is by far the best open source email/calendaring solution I've used or seen. I just wish it was a little easier to run a small install (I'm only setting this up for 4 users) it would be nice to not have to have my own DNS server that I can set up with split addressing, or more appropriately 2 DNS servers so I've got redundancy and my email doesn't stop working if one dies. Even though its a small install, I still want it to work reliably.

[phoenix]

You should have no problem running a DNS server on the Zimbra server, I do that on my system for my LAN and there's no problem with it.

[Dirk]

Can you not set port forwarding on the firewall so all traffic it recieves on port 25 are sent to the internal IP of the zimbra server. Same for the web port of 443.

Then external users connect to your external IP address, the firewall sees the traffic is HTTPS and send that traffic to the internal IP of the zimbra server which see's it as normal, nothing needs setting on the zimbra server that I'm aware of.

I mention this, as this is exactly how I have my home system configured and it's been working this way for about a year.