Results 1 to 7 of 7

Thread: Zimbra HTTP remote access through DMZ

  1. #1
    Join Date
    Dec 2008
    Posts
    19
    Rep Power
    6

    Default Zimbra HTTP remote access through DMZ

    Hi all:

    Currently we have a Sendmail-based mail system, in two separate servers:

    1) LAN Server, with user mailhubs
    2) DMZ Server, which acts as a relay MTA.

    We're planning to deploy a Zimbra-based infraestructure with the following servers:

    1) LAN Zimbra server: Zimbra mail Server + Zimbra LDAP
    2) DMZ Zimbra MTA: relay in the DMZ zone.

    Is it possible to access ZImbra server through Zimbra MTA in the DMZ zone via Internet? We need to provide web access to users through Internet, but we cannot open any port directly to the LAN zone, so access via DMZ server would be desirable .

    Is Zimbra HTTP proxy a solution? If we deploy it in the DMZ Server, is it possible to configure it so that users can access Zimbra Server in the LAN zone through it?

    Thanks in advance!

  2. #2
    Join Date
    Dec 2008
    Posts
    19
    Rep Power
    6

    Default Perhaps I've missed the forum again?

    Maybe I'm asking a stupid question, or this forum is not the right place to ask it...

    Could anyone give me some indication, please?

    Thank you very much

  3. #3
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Maybe this is an ignorant question but I'm not afraid of admitting my own ignorance. . .why not just have one Zimbra server in the DMZ which handles the whole load? If you have a DMZ, that obviously means you have some level of packet filtering, DNAT/SNAT, etc. available to you in your firewall/router, so just restrict what ports are routed from the public (or private) networks to your server and you should be fine. If I'm missing something from a security perspective, what is it that you are trying to accomplish by having your main Zimbra server on the LAN that you couldn't do with properly-designed packet filter rules in the DMZ?

    As to your proxy question, I do not think that one Zimbra machine could act as proxy to a second Zimbra machine as you are describing. I believe you would have to set up a separate proxy server on your DMZ to accomplish this.
    Cheers,

    Dan

  4. #4
    Join Date
    Dec 2008
    Posts
    19
    Rep Power
    6

    Default Re:

    Well, the truth is that I had not thought about that... Until now we have the mailhub with mailboxes in our LAN because it's supposed to be the most secure zone; if the DMZ host is compromised (it's offering some more services, as http), a possible attacker could get access to every personal message. This is the scenario we try to avoid using two different servers in two different networks... I suppose if the DMZ host is really secured this should not be an issue, but... who is really secure nowadays? :-)

  5. #5
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by milesteg View Post
    Well, the truth is that I had not thought about that... Until now we have the mailhub with mailboxes in our LAN because it's supposed to be the most secure zone; if the DMZ host is compromised (it's offering some more services, as http), a possible attacker could get access to every personal message.
    Remember a DMZ is a network, not just a host. You could have multiple servers on the DMZ and (assuming a sufficiently advanced firewall/router) still not allow one compromised machine to talk to another. Packet filtering, and DNAT/SNAT both provide for even tighter lockdown. Sure, if your Zimbra machine is compromised, it's possible that the hacker would have access to your messages, but if you only allow port 25, 443, (even 80), and maybe the secure IMAP/POP ports, access from the outside--even a compromised machine could be pretty tough to control.

    Quote Originally Posted by milesteg View Post
    This is the scenario we try to avoid using two different servers in two different networks... I suppose if the DMZ host is really secured this should not be an issue, but... who is really secure nowadays? :-)
    True of course, but as I pointed out above, it's not merely the security of your host that is an issue. Proper routing/firewall configuration provides a pretty substantial level of security on top of that.

    I'm not saying that the further level of a mail server inside the LAN is not even more secure--obviously it is. I am questioning, rather, if that level of security is necessary. And if it is, I would recommend instead that your users who need webmail access from outside could first access your LAN via a secure VPN (good firewalls now offer SSL VPN instead of PPTP or L2TP even), then check their mail over the VPN.
    Cheers,

    Dan

  6. #6
    Join Date
    Dec 2008
    Posts
    19
    Rep Power
    6

    Default

    Well, VPN would do the trick, indeed; however, that would imply overloading users with vpn clients. I'd rather a HTTPS based system. What I'm looking for is something like Outlook Web Access with Microsoft Exchange. The back-end server would be in the LAN, with maximum security, and the front-end server (only mail relay and web access) would be in the DMZ zone. I'm afraid I must include a security level as high as possible, so perhaps using only one server for Zimbra in the DMZ would be my last resource, altough I don't discard it... so, what could we do in the line I suggest, without VPN? this is getting interesting

  7. #7
    Join Date
    Dec 2008
    Posts
    19
    Rep Power
    6

    Default

    I've been doing a little bit more of researching and have found a pair of threads with the same restrictions as my problem:

    1) Is the solution in Zimbra 5.5?
    http://www.zimbra.com/forums/install...quirement.html

    2) Is Zimbra proxy what I need installed in DMZ host, whereas Zimbra server remains in LAN?
    https://www.zimbra.com/forums/instal...eb-server.html

    What do you think about those?

Similar Threads

  1. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 05:42 PM
  2. slapd message error
    By smoke in forum Administrators
    Replies: 7
    Last Post: 04-27-2008, 04:23 PM
  3. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 11:13 AM
  4. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •