Results 1 to 7 of 7

Thread: Zimbra inside a LAN

  1. #1
    Join Date
    Sep 2006
    Posts
    252
    Rep Power
    9

    Default Zimbra inside a LAN

    Hi guys,

    I'm trying to make a client of me switch from exchange to zimbra.

    I had a chat with the tech guy this morning and he mentioned that he wants the mail server inside their lan network and have a relay on their DMZ for security reasons. I don't like this architecture but i offeref to do some research on this.

    Any thoughts? Smth you guys would recommend? What are the +/- of doing this?

    Thanks!

  2. #2
    Join Date
    Mar 2006
    Location
    Massachusetts
    Posts
    965
    Rep Power
    10

    Default

    We've been running Zimbra in the configuration you've described for a few years now without any issues. Before moving to Zimbra we had the email gateway setup and left it in place after the move. The gateway is using a lot of the same software that Zimbra uses (postfix, amavisd, spamassassin, clamav), so in some ways it is probably redundant. I still kind of like the extra layer of security that is provided.

    I don't know for sure, but I think this would be a somewhat common setup with Zimbra. What are your concerns?

  3. #3
    Join Date
    Sep 2006
    Posts
    252
    Rep Power
    9

    Default

    The gateway will require to know which users exist or not for the domain, right? Otherwise it will relay non existent users.

    Are you using zimbra also as a gateway? Or are you using smth custom?

    Thanks,

  4. #4
    Join Date
    Sep 2006
    Posts
    252
    Rep Power
    9

    Default

    The thing i don't like of having the mail server on the lan is that if any pc gets infected by a virus it may attack the mail server and start sending spam (lan is on the trusted networks).

    The thing is that i need a way to demostrate it to this guy so any other vulnerabilities will be cool.

    Thanks!

  5. #5
    Join Date
    Mar 2006
    Location
    Massachusetts
    Posts
    965
    Rep Power
    10

    Default

    The gateway will require to know which users exist or not for the domain, right? Otherwise it will relay non existent users.

    Are you using zimbra also as a gateway? Or are you using smth custom?
    Our Internet email gateway does not know about all our users. You are right; it does relay non-existent users. But then they are rejected by the Zimbra server. Net effect is the same.

    The email gateway is not running Zimbra. Like I said, it was setup prior to us using Zimbra and we kept it in place. I used one of the many "recipies" out there on the 'net for setting up an Internet email gateway using open source tools.

    The thing i don't like of having the mail server on the lan is that if any pc gets infected by a virus it may attack the mail server and start sending spam (lan is on the trusted networks).
    Oh, so now I see. You are concerned about having the email server on your LAN for security reasons. I thought you were more concerned with having the extra gateway server to worry about. Some of your concerns here are probably valid. We did run into a situation similar to what you are describing with the virus. I'm not really sure it would have been avoided if the Zimbra server wasn't on our LAN.

  6. #6
    Join Date
    Nov 2006
    Location
    Bordeaux, France
    Posts
    140
    Rep Power
    9

    Default

    You can use zimbra proxy (nginx proxy in fact) to do this.
    Just put it in you dmz, then migrate your zimbra server(s) in the lan.

    + Your zimbra server containing your precious data (e-amil and so on) is not directly visible from outside, where ugly bad hackers lives That's the main purpose of a reverse proxy.

    + You don't charge your firewall with traffic when users from lan want to access zimbra. (you'll have to create a "fake" zone in your internal dns to redirect lan users to the lan ip of you zimbra server)

    - You have another zimbra server in your architecture (zimbra proxy)

  7. #7
    Join Date
    Sep 2006
    Posts
    252
    Rep Power
    9

    Default

    Thanks Nozil, that will work perfectly. Can i have zimbra's antispam and antivirus running on the proxy server?

    Cheers!

Similar Threads

  1. Replies: 8
    Last Post: 01-20-2009, 01:06 PM
  2. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  3. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 11:13 AM
  4. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  5. huge log size
    By rmvg in forum Administrators
    Replies: 5
    Last Post: 01-02-2007, 10:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •