Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: WebMail proxy

  1. #1
    Join Date
    Jan 2009
    Posts
    45
    Rep Power
    6

    Default WebMail proxy

    Hello

    We are in the final process of evaluating Zimbra.

    We are going to have 13 servers located around the world.

    - One server will be Mailbox, LDAP Master and MTA server
    - One server will be Mailbox and MTA server
    - All other servers will be "Mailbox Only" servers (i.e, they will send mail through the two MTA's).

    (any remarks will be greatly appreciated in case this approach is wrong...)

    All servers will be behind NAT and only the two MTA's will have public IP's (also behind NAT).

    We would like users in the "Mailbox Only" servers to access WebMail when out of the office, but we don't want to assign a public IP for every server (for security reasons). Only the MTA servers should have public IP's.

    If possible, we would like "Mailbox Only" server users to access their WebMail through one of the MTA servers, since we want only the MTA servers to have a public IP.

    At the moment, when a user of a "Mailbox Only" server types the MTA's public FQDN in the address bar, he/she is confronted with the login page, which is fine. But when they login they are redirected to their mailbox server's WebMail page. Since that server has no public IP they get a blank page.

    Can Zimbra serve as a "WebMail proxy" and allow "Mailbox Only" server users to connect from the outside through another server which does have a public IP?

    Thanks.

    (hope I didn't cause too much confusion )
    Last edited by ECB; 03-09-2009 at 09:18 AM.

  2. #2
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quote Originally Posted by ECB View Post
    (any remarks will be greatly appreciated in case this approach is wrong...)
    IMHO it is wrong for (at least) four reasons :

    1. ZCS is designed to be "centric", everything in one place and the ZWC needs very low bandwidth.

    2. mailbox servers needs MTA to send/receive email even between them : either you put MTA server in each location (with their own LDAP replica or it's useless) or, if you want your "abroad" mailbox servers to use the "center" MTA, then you'd rather keep all the users centered...

    3. LDAP write can only be made (yet) to the master LDAP (not the replica)

    4. backup... With servers "aboads", you also need to put a full backup infrastructure in each location.

    Quote Originally Posted by ECB View Post
    Can Zimbra serve as a "WebMail proxy" and allow "Mailbox Only" server users to connect from the outside through another server which does have a public IP?
    zimbra-proxy is designed for this, as long as it "sees" all the mailbox servers.

    The problem is, if you uses it the ways it's supposed to be users, users all arround the world should also use it from inside the company.
    You can not have (at least) documents/briefcase/password change working both through zimbra-proxy and with direct access to mailbox servers.

    Another good reason to keep all servers at the same place...

  3. #3
    Join Date
    Jan 2009
    Posts
    45
    Rep Power
    6

    Default

    Quote Originally Posted by Klug View Post
    2. mailbox servers needs MTA to send/receive email even between them : either you put MTA server in each location (with their own LDAP replica or it's useless) or, if you want your "abroad" mailbox servers to use the "center" MTA, then you'd rather keep all the users centered...
    The reason we need a local server in each branch is that if the internet connection goes down, the entire office loses email access, as well as all other services ZCS offers.
    With a local server, users keep getting ZCS services and sending mails even when the line is down - the SMTP queue will hold the sent emails. When the internet connection is re-established, sent mails are automatically transferred (this is in theory, we haven't yet tested this in our lab).
    The beauty of this method is that when the line goes down users can keep working without interruption and the whole process of mail being held and then transferred is completely transparent to them.
    Another reason is that users transfer large attachments between offices and we want the emails with the attachments to be accessed locally and not through the internet, lowering strain on the line and the server.
    Also, thanks to Zimbra's design, users can even access directory data when the connection to the LDAP master is lost.

    Quote Originally Posted by Klug View Post
    3. LDAP write can only be made (yet) to the master LDAP (not the replica)
    This is already taken into account. And this is fine because the directory can still be accessed and that's what's important in case of LDAP master failure.

    Quote Originally Posted by Klug View Post
    4. backup... With servers "aboads", you also need to put a full backup infrastructure in each location.
    We have already trained our users in the "secret ways" of backup and they've been doing this for years with our current email system.
    Moreover, with Zimbra it is possible (theoretically, we need to test this too...) to backup to remote directories, so we won't even need to bother our users with backup anymore.

    Quote Originally Posted by Klug View Post
    Quote Originally Posted by ECB View Post
    Can Zimbra serve as a "WebMail proxy" and allow "Mailbox Only" server users to connect from the outside through another server which does have a public IP?
    zimbra-proxy is designed for this, as long as it "sees" all the mailbox servers.
    As far as I understand from the manual, zimbra-proxy only supports POP3 and IMAP4.

    Quote Originally Posted by Klug View Post
    The problem is, if you uses it the ways it's supposed to be users, users all arround the world should also use it from inside the company.
    You can not have (at least) documents/briefcase/password change working both through zimbra-proxy and with direct access to mailbox servers
    I'm not sure I understand what you're saying here. Can you elaborate?

    Thanks very much.

  4. #4
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quote Originally Posted by ECB View Post
    The reason we need a local server in each branch is that if the internet connection goes down, the entire office loses email access, as well as all other services ZCS offers.
    But unable to send mail (even to each others) unless there's a MTA + LDAP (replica).

    Quote Originally Posted by ECB View Post
    The beauty of this method is that when the line goes down users can keep working without interruption and the whole process of mail being held and then transferred is completely transparent to them.
    No, unless there's a MTA + LDAP (replica).

    Quote Originally Posted by ECB View Post
    Another reason is that users transfer large attachments between offices and we want the emails with the attachments to be accessed locally and not through the internet, lowering strain on the line and the server.
    That's right.

    Quote Originally Posted by ECB View Post
    Also, thanks to Zimbra's design, users can even access directory data when the connection to the LDAP master is lost.
    As long as they're already logged on...
    Unless, once more, you have a LDAP replica.

    Quote Originally Posted by ECB View Post
    This is already taken into account. And this is fine because the directory can still be accessed and that's what's important in case of LDAP master failure.
    How can you get the directory (GAL, user/password validation) if you don't have a local LDAP replica and can not access the master LDAP ?

    Quote Originally Posted by ECB View Post
    Moreover, with Zimbra it is possible (theoretically, we need to test this too...) to backup to remote directories, so we won't even need to bother our users with backup anymore.
    As long as "remote directory" stays local the office.
    Your point about "backup magic" is right but I do not trust local backups.

    Quote Originally Posted by ECB View Post
    As far as I understand from the manual, zimbra-proxy only supports POP3 and IMAP4.
    That was perdition, that was in 4.x ZCS...
    zimbra-proxy is now nginx and proxies http(s), pop3(s) and imap4(s).
    Which manuals have you checked?

    Quote Originally Posted by ECB View Post
    I'm not sure I understand what you're saying here. Can you elaborate?
    If you setup zimbra-proxy (even only one for external access), you'll have to setup all your mailbox servers in reverse-proxied mode.
    As soon as they are in reverse-proxied mode, you need to setup zimbraPublicServiceHostname (and zimbraPublicServiceProtocol and zimbraPublicServicePort) for each domain to suit the proxy FQDN.
    And as soon as you've setup these, you've lost local access (ie direct access to the maibox server, not through the proxy) for some features (listed in my previous post).

    There are way arround this (using local zimbra-proxy with local DNS records) but it's quite complex (and goes against the initial simple idea).

    I also guess the "internet" access to user account will be only be very low and not frequent. Or you'll hit all the issues you wanted to avoid by having the mailbox servers spread arround the world.
    Last edited by Klug; 03-09-2009 at 12:25 PM.

  5. #5
    Join Date
    Jan 2009
    Posts
    45
    Rep Power
    6

    Default

    All servers in our design are LDAP replicas. Thought that was a given, my mistake.

    Quote Originally Posted by Klug View Post
    But unable to send mail (even to each others) unless there's a MTA + LDAP (replica).
    But if the non-MTAed servers have a direct connection to the MTA servers, can't they send mail to each other through the MTAs?

    Quote Originally Posted by Klug View Post
    As long as "remote directory" stays local the office.
    You've lost me there - is it, or is it not possible to back up to a remote directory? I'm new to Linux, so be gentle...

    Quote Originally Posted by Klug View Post
    That was perdition, that was in 4.x ZCS...
    zimbra-proxy is now nginx and proxies http(s), pop3(s) and imap4(s).
    So to cut a long story short, the answer to my original question is YES.

    Quote Originally Posted by Klug View Post
    As soon as you've setup these, you've lost local access (ie direct access to the maibox server, not through the proxy) for some features (listed in my previous post).
    Thanks for the tip.

    Quote Originally Posted by Klug View Post
    There are way arround this (using local zimbra-proxy with local DNS records) but it's quite complex (and goes against the initial simple idea).
    I don't care if it's complex as long as I can make it work.

    Quote Originally Posted by Klug View Post
    I also guess the "internet" access to user account will be only be very low and not frequent.
    That is correct.
    Last edited by ECB; 03-09-2009 at 12:50 PM.

  6. #6
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quote Originally Posted by ECB View Post
    But if the non-MTAed servers have a direct connection to the MTA servers, can't they send mail to each other through the MTAs?
    Two users on the same mailbox server won't even be able to send mails to each other if there's no MTA available for this server.

    Quote Originally Posted by ECB View Post
    You've lost me there - is it, or is it not possible to back up to a remote directory? I'm new to Linux, so be gentle...
    It is, of course.
    But to prevent yourself from the "lost line" issue, you can only backup in the same location that your server is. This means if there's a problem in this location (and both server and backup are in this location), you might loose all data.

    Quote Originally Posted by ECB View Post
    I don't care if it's complex as long as I can make it work.
    Are your users using local DNS in each location ?

  7. #7
    Join Date
    Jan 2009
    Posts
    45
    Rep Power
    6

    Default

    Our users don't have local DNS servers at the moment, but they will. Zimbra is too dependent on DNS and we prefer each server to run a DNS service as well.

  8. #8
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    I urge you to do some lab tests about what you want to deploy...

  9. #9
    Join Date
    Jun 2006
    Location
    Italy
    Posts
    56
    Rep Power
    9

    Default

    Have you considered the problem regarding the usage of the protocol LMTP between MTAs and mailtores? I think that the Local Mail Transport Protocol is not so good over wan......
    Last edited by anteos; 03-12-2009 at 03:29 AM.
    Stefano Pampaloni
    www.seacom.it

  10. #10
    Join Date
    Jan 2009
    Posts
    45
    Rep Power
    6

    Default

    I am not aware of such a problem - can you elaborate please?
    Thanks!
    Last edited by ECB; 03-12-2009 at 03:31 AM.

Similar Threads

  1. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 05:42 PM
  2. proxy and 502 responses
    By sdouglass in forum Administrators
    Replies: 0
    Last Post: 01-07-2009, 03:00 PM
  3. Replies: 4
    Last Post: 05-08-2008, 10:12 AM
  4. Replies: 1
    Last Post: 01-02-2008, 09:31 PM
  5. Webmail + postfix proxy
    By kechols in forum Administrators
    Replies: 2
    Last Post: 06-18-2007, 06:25 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •