Results 1 to 10 of 10

Thread: Zimbra behind NAT firewall

Hybrid View

  1. #1
    Join Date
    Jan 2006
    Posts
    19
    Rep Power
    9

    Angry Zimbra behind NAT firewall

    Here is how my server is configured:

    linux1 = NAT Firewall
    zimbra = Zimbra Server

    linux1 uses iptables to forward following ports:
    25 -> zimbra:25
    8080 -> zimbra:80
    2222 -> zimbra:22
    linux1 runs it's own webserver (apache2) on port 80.
    Code:
    root@linux1 # iptables -t nat -L -n
    
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    DNAT       tcp  --  anywhere             X.X.X.X       tcp dpt:8080 to:192.168.11.3:80
    DNAT       tcp  --  anywhere             X.X.X.X       tcp dpt:25 to:192.168.11.3:25
    DNAT       tcp  --  anywhere             X.X.X.X       tcp dpt:2222 to:192.168.11.3:22
    192.168.11.3 is zimbra server IP address. I have masked linux1 server's external IP address with x.x.x.x for privacy.

    Zimbra is working fine when accessed from LAN as zimbra.lan. However I am unable to access Zimbra server from outside.

    With the port 8080 on linux1 (which is also visible as mydomain.com from internet) being forwarded to port 80 on zimbra, I was expecting that visiting http://mydomain.com:8080 from outside network, would enable me to access the web mail. As expected the login page shows correctly, but after I enter userid/password, it shows

    "An unexpected error has occurred. Please correct any errors and retry. If the problem persists please contact your System Administrator. (service.FAILURE)"

    Can you please help?
    Last edited by amitbapat; 01-08-2006 at 04:45 PM.

  2. #2
    Join Date
    Jan 2006
    Posts
    19
    Rep Power
    9

    Default Zimbra Version

    Sorry for replying to my own post, the zimbra version I'm running is 3.0.0_M3_436.FC4-20060106155236

  3. #3
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default solutions

    So, after you log in, the zimbra server redirects your browser back to
    http://hostname/zimbra/mail - which is failing, since you're not on port 80 - so, after you log in, you can manually add :8080 to the url:
    http://hostname:8080/zimbra/mail - that should let you in.

    That's a temporary solution, tho - if that works, add the proxyPort=8080 directive to /opt/zimbra/tomcat/conv/server.xml in the http connector section, and restart tomcat - that should get you going.

  4. #4
    Join Date
    Jan 2006
    Posts
    19
    Rep Power
    9

    Default Login failure

    I think the request never reaches the zimbra server to login, something fails even before doing authentication on the server side.

    After logging in from http://mydomain.com:8080/ page I tried manually entering http://mydomain.com:8080/zimbra/mail and it takes me back to http://mydomain.com:8080/zimbra and shows an empty login screen.

  5. #5
    Join Date
    Jan 2006
    Posts
    19
    Rep Power
    9

    Angry Still fails

    I added proxyPort="8080" in /opt/zimbra/tomcat/conf/server.xml, login stil fails with same error.
    Code:
      <Service name="Catalina">
        <!-- user services connector, no SSL -->
            <!-- HTTPBEGIN -->
        <Connector port="80"
            enableLookups="false" redirectPort="443"
            maxThreads="100" minSpareThreads="100" maxSpareThreads="100" proxyPort="8080" />
    <!-- HTTPEND -->
        <!-- user services connector, SSL -->
    :
    :

  6. #6
    Join Date
    Jan 2006
    Posts
    19
    Rep Power
    9

    Default some more

    I stopped the apache2 on my linux1 box, and forwarded port 80 to zimbra box, in this case everything works as expected.

    This tells me that if zimbra server is on same port (80 in this case) as the forwarded port, zimbra has no problems.

    Is it possible to move the zimbra server to port 8080? How do I do that?

    Thanks
    amit

  7. #7
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default errors in the log?

    Any errors in /var/log/zimbra.log?

  8. #8
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default moving web port

    search the forums, it's been covered.

  9. #9
    Join Date
    Dec 2005
    Location
    Peterborough, UK
    Posts
    140
    Rep Power
    10

    Default

    amitbapat,

    What about using https to access the Zimbra web UI? that way you can leave your web server as is using port 80, and then you just access it by https://yourdomain.com

    If you want to use https have a look here it is painless, honest

  10. #10
    Join Date
    Jan 2006
    Posts
    19
    Rep Power
    9

    Talking Solved with Apache mod_proxy

    Here's how I have solved this problem, without changing ANYTHING on the zimbra server. The only thing I did was add a NameVirtualHost on apache running on the linux1 box and use mod_proxy for forwards.

    I added a new sub-domain webmail.mydomain.com. This is a CNAME entry and points to the same server mydomain.com (or linux1 on my LAN).

    Here's how the config looks:
    'lan' is my local intranet domain. I run a local DNS for my intranet. Hence I don't have to use IP addresses in the ProxyPass.
    You need mod_proxy module enabled for apache (on linux1).
    On linux1 box (which also hosts my web server for *.mydomain.com)
    Code:
    UseCanonicalName Off
    NameVirtualHost *:80
    
    <VirtualHost *:80>
    ServerName www.mydomain.com
    DocumentRoot /var/www/www.mydomain.com/htdocs
    ScriptAlias /cgi-bin /var/www/www.mydomain.com/cgi-bin
    </VirtualHost>
    :
    :
    # Redirect traffic to/from webmail.mydomain.com to zimbra.lan
    <VirtualHost *:80>
    ServerName webmail.mydomain.com
    ProxyPass / http://zimbra.lan/
    ProxyPassReverse / http://zimbra.lan/
    </VirtualHost>
    As stated earlier, zimbra.lan server is not visible directly from outside.
    I am now forwarding ports 25 and 993 (only IMAPS) from the outside world to zimbra.lan using bastille-firewall(iptables) on linux1. I am able to send and receive mail fine. The web mail interface works like a charm with this setup.

    This way I didn't have to change ports of any of my existing sites and I get to use full functionality of Zimbra server without modifying the default configuration.

    The beauty of this setup is I can still keep using my SquirrelMail (which I run on www.mydomain.com/squirrelmail) and only change its config to use the zimbra.lan IMAP server instead.

    I have seen so much discussion on this forum on the forwarding issue, and I hope many people will find this kind of setup useful.


    Thanks to all who helped me with this.

    Zimbra Rocks!

    -amit

Similar Threads

  1. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  2. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  3. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 10:19 AM
  4. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM
  5. Zimbra MTA and CentOS VPS on OpenVZ
    By czaveri in forum Installation
    Replies: 2
    Last Post: 03-20-2006, 09:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •