Results 1 to 9 of 9

Thread: [SOLVED] Mailbox Server Behind Firewall

  1. #1
    Join Date
    Apr 2010
    Location
    Australia
    Posts
    10
    Rep Power
    5

    Red face [SOLVED] Mailbox Server Behind Firewall

    Hi There,

    I have the following setup on our network.

    INTERNET --> FIREWALL 1 --> Zimbra Front End --> FIREWALL 2 --> Zimbra Mail Store

    I am getting mail flow down to the mail store, my only problem is the web interface. I get a 502 bad gateway error from nginx. If I connect directly to the mail store server, I can login.

    I have changed our DNS records, so that the front end should be looking at firewall 2 to locate the mail server (port forwards are setup on firewall 2 to the mail store server).

    I am thinking that I may be missing a port forward somewhere - but I could be wrong :\.

    Any ideas\suggestions welcome.

    Cheers,
    Matt.

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Welcome to the forums

    What have you set for the Public Service Hostname with the Admin GUI or you can check with
    Code:
    su - zimbra
    zmprov gd yourdomain.com zimbraPublicServiceHostname
    zmprov gs `zmhostname` | grep Port

  3. #3
    Join Date
    Apr 2010
    Location
    Australia
    Posts
    10
    Rep Power
    5

    Default

    Hi uxbod,
    Thanks for your assistance & the welcome

    I grabbed this from the console.

    zmprov gd yourdomain.com zimbraPublicServiceHostname gives:
    #name

    zmprov gs `zmhostname` | grep Port gives
    zimbraAdminPort: 7071
    zimbraImapBindPort: 7143
    zimbraImapProxyBindPort: 143
    zimbraImapSSLBindPort: 7993
    zimbraImapSSLProxyBindPort: 993
    zimbraLmtpBindPort: 7025
    zimbraMailPort: 0
    zimbraMailProxyPort: 80
    zimbraMailSSLPort: 0
    zimbraMailSSLProxyPort: 443
    zimbraMemcachedBindPort: 11211
    zimbraNotifyBindPort: 7035
    zimbraNotifySSLBindPort: 7036
    zimbraPop3BindPort: 7110
    zimbraPop3ProxyBindPort: 110
    zimbraPop3SSLBindPort: 7995
    zimbraPop3SSLProxyBindPort: 995
    zimbraRemoteManagementPort: 22
    zimbraSmtpPort: 25

    Cheers,
    Matt.
    Last edited by mattrat; 08-05-2010 at 12:39 AM.

  4. #4
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    I may be guessing too much, but in similar settings where I've set these things up, the problem has been that although you're port-forwarding INCOMING traffic, your OUTGOING traffic is going from a different IP address due to the default NAT configuration for the router. For example, if your main public IP address is x.x.x.2, and you're using x.x.x.3 for your mail server (and port-forwarding its traffic to an internal ip), the outgoing traffic from the mail server needs to be SNAT translated to source from x.x.x.3 because by default the regular NAT rule will have it coming out through .2.

    So set up an outgoing SNAT rule and see if that doesn't make it work.
    Cheers,

    Dan

  5. #5
    Join Date
    Apr 2010
    Location
    Australia
    Posts
    10
    Rep Power
    5

    Default

    The firewall itself doesn't support SNAT rules. Is there something i can do on the mailbox server to "fake" an outgoing ip address?

  6. #6
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by mattrat View Post
    The firewall itself doesn't support SNAT rules. Is there something i can do on the mailbox server to "fake" an outgoing ip address?
    No, I'm afraid that can only be done on the device that is doing the NAT service. If your router doesn't support SNAT (and many don't), you are left with only four choices:

    1) Hang your mailserver on a truly public IP address (not recommended);

    2) Change your current NAT rule so the necessary incoming ports (25 and 443 at the least) translate from your primary IP (not an alternate one) to the mail server; this allows the in- and out- packets to be on the same IP as well;

    3) Put up with the current problems you have;

    4) Change your gateway to one that can handle outgoing address translation as well as incoming.
    Cheers,

    Dan

  7. #7
    Join Date
    Apr 2010
    Location
    Australia
    Posts
    10
    Rep Power
    5

    Default

    Thanks Dan,

    What I have done so far is port forward http traffic through to the mailbox server.

    I haven't checked POP3\IMAP, however webmail access seems to be working fine.

    Do you see any security implications to leaving it this way (I imagine there is exposing the mail store)?

    Cheers,
    Matt

  8. #8
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by mattrat View Post
    Thanks Dan,

    What I have done so far is port forward http traffic through to the mailbox server.

    I haven't checked POP3\IMAP, however webmail access seems to be working fine.

    Do you see any security implications to leaving it this way (I imagine there is exposing the mail store)?

    Cheers,
    Matt
    I don't see a problem with this, Matt. The only way you could be more secure would be if you had a separate server for your mailstore from the one that handled your webmail, and that's normally only done by those of our users (and I am NOT one of them) who host really large installations that need to spread the load around. HTTP alone isn't going to compromise your server unless someone discovers a bug in Tomcat or related modules (I shouldn't think), and if they do I would be pretty confident that the Zimbra team would be all over it PDQ!
    Cheers,

    Dan

  9. #9
    Join Date
    Apr 2010
    Location
    Australia
    Posts
    10
    Rep Power
    5

    Default

    Awesome, then it can stay this way for the time being

    Thanks for all your help guys - appreciate it!

    Cheers,
    Matt.

Similar Threads

  1. Message disappears between MTA and mailbox server
    By andrew_l in forum Administrators
    Replies: 12
    Last Post: 07-08-2010, 11:26 PM
  2. Status shows Red X after adding mailbox server
    By robert_pang@sd63.bc.ca in forum Administrators
    Replies: 1
    Last Post: 03-01-2010, 10:24 AM
  3. Error after installation
    By robsontuxlinux in forum Installation
    Replies: 13
    Last Post: 09-11-2008, 09:48 PM
  4. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 10:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •