Thanks to a few posts in here, I was able to reconfigure ZCS to bind (mostly) to one IP rather than all. Every visible function of the system was working fine, but for some unknown reason I was getting exceptions in zmmailboxd.out complaining of a connection refused on localhost, mostly right around startup:

Code:
com.zimbra.cs.zclient.ZClientException: invoke Connection refused, server: localhost
ExceptionId:btpool0-1493:1226650786410:5b7a2243cc96941e
Code:zclient.IO_ERROR
...<snip>
at com.zimbra.cs.account.soap.SoapProvisioning.invoke(SoapProvisioning.java:192)
(if anyone knows why, I'm curious)

In my case, I really didn't care if ZCS bound to localhost or not, I just needed to not bind on *all* IPs. The Jetty docs were a little spotty on the subject, but the following seems to have worked, and the exceptions have stopped.

Modify /opt/zimbra/jetty/etc/jetty.xml.in as described here: http://www.zimbra.com/forums/adminis...tiple-ips.html

Then, I replicated the entire "Admin services connector" stanza and just changed the Host in the second entry. I don't know if there are any ramifications to adding another connector, but it works for me (so far).

BTW, you can use hostnames rather than IPs in the Host field. Just make sure that name always resolves.

Code:
    <!-- =============================================================== -->
    <!-- Admin services connector; requires SSL -->
    <!-- =============================================================== -->
    <Call name="addConnector">
      <Arg>
        <New id="admin" class="org.mortbay.jetty.security.SslSelectChannelConnector">
          <Set name="Port">7071</Set>
          <Set name="maxIdleTime">30000</Set>
          <Set name="lowResourceMaxIdleTime">1000</Set>
          <Set name="Acceptors">2</Set>
          <Set name="keystore"><SystemProperty name="jetty.home" default="."/>/etc/keystore</Set>
          <Set name="password">3OkE8045n</Set>
          <Set name="ExcludeCipherSuites">
            <Array type="java.lang.String">
              SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_DES_CBC_SHA
            </Array>
          </Set>
        <Set name="Host">mail.domain.com</Set>
        </New>
      </Arg>
    </Call>

    <!-- Second connector for localhost -->
    <Call name="addConnector">
      <Arg>
        <New id="admin" class="org.mortbay.jetty.security.SslSelectChannelConnector">
          <Set name="Port">7071</Set>
          <Set name="maxIdleTime">30000</Set>
          <Set name="lowResourceMaxIdleTime">1000</Set>
          <Set name="Acceptors">2</Set>
          <Set name="keystore"><SystemProperty name="jetty.home" default="."/>/etc/keystore</Set>
          <Set name="password">3OkE8045n</Set>
          <Set name="ExcludeCipherSuites">
            <Array type="java.lang.String">
              SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_DES_CBC_SHA
            </Array>
          </Set>
        <Set name="Host">localhost</Set>
        </New>
      </Arg>
    </Call>
Enjoy.

-Mike