Results 1 to 6 of 6

Thread: Views on Public vs. NAT'd IP and Bind

Hybrid View

  1. #1
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default Views on Public vs. NAT'd IP and Bind

    We are about to set up a new Network Edition Zimbra server, and I'd like to get everyone's views on the pluses and minuses of different configurations, please.

    Specifically, we are looking for opinions on the use of Public vs. NAT'd IP addresses for the Zimbra server as well as whether to run BIND on the Zimbra server.

    Our sense from the docs is that the traditional Zimbra install (let's keep this as a single server install for the moment) has the Zimbra server configured with a public IP address and a running installation of BIND configured with zone files for the domains installed on the Zimbra server.

    Our existing Zimbra install has our server configured with a private IP address (NAT'd from the public IP by our firewall), and no BIND installed (instead relying on the local DNS servers provided by our colo host).

    We have built many Postfix/Cyrus servers, so we understand the need for a fast, local DNS server (especially for Postfix's anti-UCE capabilities). But we have seen DNS servers get hammered frequently so would like to avoid running BIND if possible.

    What are your preferred way(s) of setting up Zimbra?

    TIA,
    Mark

  2. #2
    Join Date
    Jul 2006
    Location
    KL, Malaysia
    Posts
    123
    Rep Power
    9

    Default

    My zimbra NE setup is quite similar to your proposed setup. Two servers on private network 10.0.0.x. The smtp & mailbox server NATd against our public IPs to handle in/out mails. Meanwhile, my ldap/backup server dont have public IPs.

    As for DNS, I have set-up 2 dns (already available at the installation time at two separate boxes). Internal dns for local usage and external dns for outside usage. By having the internal dns, somehow our local mail traffic is well diverted locally without going to the outside and back to the inside.

    Basically, thats it. Its been running fine.. at least for now

  3. #3
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by scalper
    <snip>
    By having the internal dns, somehow our local mail traffic is well diverted locally without going to the outside and back to the inside.
    From the logs we see that the internal lmtp transport of mail takes place over the public IP of the server. We didn't want just anyone to be able to inject email into Cyrus, so we needed to configure firewall rules to allow lmtp only from the Zimbra server to the Zimbra server. We also didn't find any way to change this, other than manually editing the Zimbra config files, which we don't want to do!

    Having an internal DNS server with the private, rather than public IP of the Zimbra host is possibly how you are keeping internal transports internal.

    Would you mind confirming that your internal DNS server uses private IPs for the Zimbra MTA (Postfix) and mail store (Cyrus) servers?

    Thanks,
    Mark

  4. #4
    Join Date
    Jul 2006
    Location
    KL, Malaysia
    Posts
    123
    Rep Power
    9

    Default

    Quote Originally Posted by LMStone
    Having an internal DNS server with the private, rather than public IP of the Zimbra host is possibly how you are keeping internal transports internal.

    Would you mind confirming that your internal DNS server uses private IPs for the Zimbra MTA (Postfix) and mail store (Cyrus) servers?
    Yes. Internal DNS maps private IPs for both servers. Heres a snippet from my nslookup for my mta svr. (I have to alter domain/public IP for privacy if you dont mind)

    Code:
    > server 10.0.0.2
    > pluto.domain.net
    Server:         10.0.0.2
    Address:        10.0.0.2#53
    
    Name:   pluto.domain.net
    Address: 10.0.0.188
    
    >server 203.x.x.x
    > pluto.domain.net
    Server:         203.x.x.x
    Address:        203.x.x.x#53
    
    Name:   pluto.domain.net
    Address: 219.x.x.x
    For the outside DNS is abit confusing. My place have 2 uplinks to the outside (203.x.x.x & 219.x.x.x). DNS resides at the 128kbps line with IP 203.x.x.x. Currently the MTA svr is being NATd to the 2Mbps SDSL line with IP 219.x.x.x which is faster and more suitable for zimbra.

    For MX records, I added 2 separate records for internal and external. It is no point if the MX record is only recorded at the external DNS as it will also redirect emails outside and back to the inside.

    Code:
    > domain.net
    Server:         10.0.0.2
    Address:        10.0.0.2#53
    
    domain.net      mail exchanger = 10 support.domain.net.
    domain.net      mail exchanger = 0 pluto.domain.net.
    
    > domain.net
    Server:         203.x.x.x
    Address:        203.x.x.x#53
    
    domain.net      mail exchanger = 10 support.domain.net.
    domain.net      mail exchanger = 0 pluto.domain.net.

  5. #5
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    If you're looking for a speedy and stable dns server (authoritative or recursive), I'd recommend Dan Bernstein's dnscache and tinydns programs. I haven't used BIND since 2000, and will never go back.
    agreed, bind is a truly horrible, bloated, bugridden, unnecessarily complex piece of cr4p. however, if you dont want to step into the mad psychedelic world of the raving loony djb, try http://www.powerdns.com

  6. #6
    Join Date
    Jun 2006
    Location
    Indianapolis, IN
    Posts
    51
    Rep Power
    9

    Default DNS servers

    If you're looking for a speedy and stable dns server (authoritative or recursive), I'd recommend Dan Bernstein's dnscache and tinydns programs. I haven't used BIND since 2000, and will never go back.

    http://cr.yp.to/djbdns.html

    (This is the same guy that gives us qmail.) You can seperate locations "public and private" based on a defined access list, etc. It's industrial-strength. I worked for one of the top web sites in the world, and they use djbdns exclusively (do Windows domain controllers count?).

    As for networking with Zimbra, we use zimbra behind a firewall on a non-routable IPv4 subnet, and use apache as an SSL proxy for external access, where we can restrict access to only the appropriate zimbra URLs.

    --Brian

Similar Threads

  1. Replies: 32
    Last Post: 03-18-2011, 11:03 AM
  2. I got Ubuntu and Zimbra working
    By pacsteel in forum Installation
    Replies: 73
    Last Post: 06-23-2008, 11:41 AM
  3. Ability to designate an IP Address
    By Isi in forum Administrators
    Replies: 18
    Last Post: 05-22-2007, 03:45 AM
  4. Replies: 2
    Last Post: 05-10-2007, 05:45 PM
  5. DNS Strategies and Best Practices, and a SLES10 Request
    By LMStone in forum Administrators
    Replies: 4
    Last Post: 10-14-2006, 07:51 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •