We're about to begin a migration of our Zimbra installation from one location to another remote location. We are achieving this by adding extra mail servers located at the new location into our current pool and then migrating the users to the new servers.

So far everything is working great in our testing environment but we are concerned about some of the traffic between the proxy servers and the new mail servers. The traffic currently being passed from the proxy server to the mail servers is unencrypted which is fine while they are all contained on a private network, but causes concern when it's sent across the internet proper.

Has anyone had any experience dealing with this?

We have looked at both the Zimbra and nginx documentation and it doesn't appear that there is anyway to force it to reencrypt. We have also attempted to force the mail servers to only accept IMAP and POP connections with STARTTLS but the proxy server just errors out with that configuration never trying to do a STARTTLS.

Currently we are considering setting up some local stunnels to encrypt the traffic and then decrypt it on the other end but we were hoping for a more native solution.

Any suggestions would be appeciated.

-Dave Hale
Sr Security Officer
Michigan Technological University