Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Multiserver installation issues

  1. #1
    Join Date
    Aug 2007
    Posts
    220
    Rep Power
    8

    Default Multiserver installation issues

    Hi all, I'm trying to configure a layout with 2 mbox servers, 2 ldap, and 2 mta servers. All of them reside behind a L4 infrastructure.

    Q1) does it make sense to put the proxy servers on the mbox machines or on the MTA's?

    Q2) is there anything short of an internal DNS server that can fix the postfix DNS issues, and if I need to put one up, what configuration do I need to have for each host. From the outside world I want everything to point to one VIP, but from the inside which machines need to be MX's? I assume the MTA's but do all of them need to MX'ed to themselves?

    Q3) So far I can get all the machines to talk to eachother except for the mail issue (see Q2) and the fact that zmprov fails on the mta machines. For some reason running zmprov on the MTA results in:

    ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)

    What can be the cause of this?

    Q4) During the installations the mbox machines ask for a MTA to use, and the MTA machines ask for a mbox to use for authentication. Can this be a one to many setting which allows the mbox machines to use all the mta's and the mta's to use all the mbox's to avoid secondary issues if a machine goes down?

    Q5) How do you solve the http->https redirect issue using the proxy? The proxy can't handle the mixed or redirect modes, but what I would like is to be able to mimic the redirect mode.

    Thank you.

  2. #2
    Join Date
    Aug 2007
    Posts
    220
    Rep Power
    8

    Default

    Seeing how no one had any input I'm going to answer some of my own questions and see if anyone has any ideas for the rest:

    Quote Originally Posted by Vladimir View Post
    Q2) is there anything short of an internal DNS server that can fix the postfix DNS issues, and if I need to put one up, what configuration do I need to have for each host. From the outside world I want everything to point to one VIP, but from the inside which machines need to be MX's? I assume the MTA's but do all of them need to MX'ed to themselves?
    Well I setup an internal DNS server, and I'm going to run a copy on each LDAP server so thats should fix that.

    Q4) During the installations the mbox machines ask for a MTA to use, and the MTA machines ask for a mbox to use for authentication. Can this be a one to many setting which allows the mbox machines to use all the mta's and the mta's to use all the mbox's to avoid secondary issues if a machine goes down?
    This one really nags me. I can solve the mailbox needing a single MTA problem by installing the MTA package on the mailbox machine and have it only handle outgoing mail. However to the MTA needing an AUTH host ..

    What sort of auth does the MTA do? What protocol does it use? If it is happening over https I can mess its view of the hosts tables and have it think that each mailbox has the IP of the L4 VIP and route the request back through the proxy and see if that works. Exactly what does it use this authentication for and how does it do it?

    Q5) How do you solve the http->https redirect issue using the proxy? The proxy can't handle the mixed or redirect modes, but what I would like is to be able to mimic the redirect mode.
    This we also solved by having the L4 switch issue a redirect to the client from 80 to 443.

    So my set of questions now is:

    1) Where does it make sense to run the proxy, on the MTA's or the mailbox machines

    2) zmprov still fails on the MTA machines and I have no idea why. I can change their settings use zmprov -l but I kinda want to know why they can't talk to themselves.

    3) What protocol do the MTA's use to authenticate with the mailbox servers and why?

  3. #3
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quote Originally Posted by Vladimir View Post
    Well I setup an internal DNS server, and I'm going to run a copy on each LDAP server so thats should fix that.
    Not sure you need one DNS daemon per server.

    Quote Originally Posted by Vladimir View Post
    This one really nags me. I can solve the mailbox needing a single MTA problem by installing the MTA package on the mailbox machine and have it only handle outgoing mail. However to the MTA needing an AUTH host ..
    I don't know, I'd rather setup a mailbox first.

    Quote Originally Posted by Vladimir View Post
    What sort of auth does the MTA do? What protocol does it use? If it is happening over https I can mess its view of the hosts tables and have it think that each mailbox has the IP of the L4 VIP and route the request back through the proxy and see if that works. Exactly what does it use this authentication for and how does it do it?
    IIRC, you'll need port 7025 (QMTP) and http(s) access to the mailstore (requests to the mailstore).
    And obviously SSH and syslog.

    Quote Originally Posted by Vladimir View Post
    1) Where does it make sense to run the proxy, on the MTA's or the mailbox machines
    Neither, run it on a different server.

    Quote Originally Posted by Vladimir View Post
    2) zmprov still fails on the MTA machines and I have no idea why. I can change their settings use zmprov -l but I kinda want to know why they can't talk to themselves.
    zmprov talks to a mailstore server through SOAP (while zmprov -l talks to the LDAP server).
    The mailstore server stores the data in LDAP.
    postfix' setup is (re)created from the LDAP info each 30 minutes.

    Quote Originally Posted by Vladimir View Post
    3) What protocol do the MTA's use to authenticate with the mailbox servers and why?
    SSH and/or SOAP

  4. #4
    Join Date
    Aug 2007
    Posts
    220
    Rep Power
    8

    Default

    Quote Originally Posted by Klug View Post
    Not sure you need one DNS daemon per server.
    I don't but I would like it to be redundant if one of the servers fails.

    I don't know, I'd rather setup a mailbox first.
    Hmm? The problem that concerns me is that each mailbox is bound to only one MTA for outgoing mail. If that MTA fails then the mailbox bound to it also fails. My thought is to place a MTA on the mailbox server that only handles the outgoing mail for that server, so if that machine catches fire it only affects itself.

    Neither, run it on a different server.
    I have a budget to work with. Right now the machines I have to work with are oversized for the deployment, but all I have is them, so I need to put the proxy on some of them. I'll play this by ear and see what the load is like.

    zmprov talks to a mailstore server through SOAP (while zmprov -l talks to the LDAP server).
    The mailstore server stores the data in LDAP.
    postfix' setup is (re)created from the LDAP info each 30 minutes.
    Ok .. so running zmprov on a MTA machine will attempt to talk to a mailbox machine, and running zmprov -l will attempt to talk to the ldap server. However in my error zmprov seem to try to talk to localhost, not one of the mailbox machines.

    SSH and/or SOAP
    Then I might have to try the DNS hack and see if I can get it to pick a mailbox server through the proxy. It worries me that a number of configuration options are dependent on a single host, it makes the distributed multi server installs a lot less robust then the literature seems to indicate.

  5. #5
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quote Originally Posted by Vladimir View Post
    Hmm? The problem that concerns me is that each mailbox is bound to only one MTA for outgoing mail. If that MTA fails then the mailbox bound to it also fails. My thought is to place a MTA on the mailbox server that only handles the outgoing mail for that server, so if that machine catches fire it only affects itself.
    That's not the way the multiserver installations are usually done but why not.

    Quote Originally Posted by Vladimir View Post
    I have a budget to work with. Right now the machines I have to work with are oversized for the deployment, but all I have is them, so I need to put the proxy on some of them. I'll play this by ear and see what the load is like.
    If servers are oversized, then remove one mailbox server and put a proxy server instead. Or you can use VMs too.

    Quote Originally Posted by Vladimir View Post
    Ok .. so running zmprov on a MTA machine will attempt to talk to a mailbox machine, and running zmprov -l will attempt to talk to the ldap server. However in my error zmprov seem to try to talk to localhost, not one of the mailbox machines.
    When you say "MTA machine", there's only "zimbra-core" and "zimbra-mta" on it ?

    Quote Originally Posted by Vladimir View Post
    It worries me that a number of configuration options are dependent on a single host
    ZCS was designed to be deployed on multiple servers from the start.

    Quote Originally Posted by Vladimir View Post
    it makes the distributed multi server installs a lot less robust then the literature seems to indicate.
    The "usual" way to set up a multi servers infrastructure is more like :
    . two LDAP servers (one master and one slave)
    . two MTA servers (using MX records in the DNS to spread the load, each MTA "attached" to one LDAP to spread the LDAP load)
    . several mailbox servers
    . one log server (mailbox + log)

    This works quite nice, there are several people on the forum hosting several thousands users with such setups.

  6. #6
    Join Date
    Aug 2007
    Posts
    220
    Rep Power
    8

    Default

    Quote Originally Posted by Klug View Post
    When you say "MTA machine", there's only "zimbra-core" and "zimbra-mta" on it ?
    Correct.

    ZCS was designed to be deployed on multiple servers from the start.
    That was my impression as well, but as I learn more about the multiserver layout, I'm concerned about some of the decisions made.

    The "usual" way to set up a multi servers infrastructure is more like :
    . two LDAP servers (one master and one slave)
    . two MTA servers (using MX records in the DNS to spread the load, each MTA "attached" to one LDAP to spread the LDAP load)
    . several mailbox servers
    . one log server (mailbox + log)

    This works quite nice, there are several people on the forum hosting several thousands users with such setups.
    That is almost exactly what I'm doing, with the addition of L4 and proxy's in the mix.

    Yes, and thats nice in theory, but as I said what worries me is the number of 1 to 1 relationships involved there. For example the MTA's need an MtaAuthHost, but it can only be ONE of the mailbox servers. So if that server goes down the MTA bound to it also goes down, or at least part of it, and the load balancer can't even tell.

    Don't get me wrong, I like Zimbra, I'm only complaining because it is very close to perfect and then it does little things like this.

  7. #7
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quote Originally Posted by Vladimir View Post
    For example the MTA's need an MtaAuthHost, but it can only be ONE of the mailbox servers. So if that server goes down the MTA bound to it also goes down, or at least part of it, and the load balancer can't even tell.
    If that server goes down, the user accounts that are on this server are not accessible anymore.

    I'm more scared about this kind of issues than the one-to-one relationship. However, you're right about it, if we could avoid it, it'd be nicer 8)

    I don't see what is the aim of the loadbalancer here, as you can not "load balance" mailbox servers. The only use I see of a load balancer would be to load balance the proxy flow, but it's not interesting for the other servers (MTA, LDAP, mailstores)

  8. #8
    Join Date
    Aug 2007
    Posts
    220
    Rep Power
    8

    Default

    The load balancer is for the MTA machines and for the proxy flow. How is not interesting for the MTA's?

  9. #9
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    If your several MTA hide behind a single MX record, it's interesting.

    If you have several MX record (with round-robin), the DNS by itself will create some kind of load-balancing (less precise than using a dedicated device, obviously).

  10. #10
    Join Date
    Aug 2007
    Posts
    220
    Rep Power
    8

    Default

    Yup, they are behind a single MX record

    The other thing that load balancing does is hide the multi mailbox layout from users if they use outlook, or mobile devices, etc. Or at least thats the hope.

Similar Threads

  1. Some issues in installation
    By tarakranjanmukherjee in forum Installation
    Replies: 1
    Last Post: 07-14-2008, 11:43 PM
  2. Installation Issues - SLES 10_Zimbra 5.0 Beta 3
    By rhartman in forum Installation
    Replies: 3
    Last Post: 01-14-2008, 06:18 AM
  3. merging multiserver installation.
    By chezgi in forum Administrators
    Replies: 5
    Last Post: 09-23-2007, 12:05 PM
  4. startup issues after installation
    By scottf76 in forum Installation
    Replies: 4
    Last Post: 05-23-2007, 01:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •