Results 1 to 5 of 5

Thread: [SOLVED] DNS Server Required for External Accounts?

  1. #1
    Join Date
    Jan 2011
    Posts
    4
    Rep Power
    4

    Default [SOLVED] DNS Server Required for External Accounts?

    Hi,

    I'm trying to set up zimbra for a small business. Originally I planned on hosting our own email, but I've since read about some of the problems and think I may just configure each user to be able to download email from various external accounts (we have three separate companies with their own domains).

    My question is two-fold.

    1.) Do i need to set up a DNS server to do this? I don't particularly see why, but I'm not at my office and I just read something that implied that you do.

    2.) In regards to running your own email server, will I run into problems with blacklisting? I read in a redhat article that you could use your isp's relay (smpt.comcast.net, for example) to avoid that. But is this simply referring to setting up accounts regulated by comcast (with standard email provider limitations), or am i using a username and password to be authenticated by comcast, allowing my outgoing email to be simply forwarded? I plan on purchasing a static ip if I go that route, in case that was going to influence the answer.

    Also, using an ISP relay wouldn't change the headers in a way that people would think the mail came from the ISP account, would it?

  2. #2
    Join Date
    Oct 2009
    Posts
    147
    Rep Power
    5

    Default

    First I think you should look at this article. I was able to understand and follow this article to install the FOSS (aka Open Source Edition) edition of Zimbra on Ubuntu 8.04 LTS. This article simplified the DNS issue and I was successful.

    Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki

    The other thing is I was able to run zimbra and use one of my ISP email accounts to relay all outbound mail. For inbound email to Zimbra I actually forward a copy of the emails from my ISP to actual zimbra account.

    So, before any details at high level, yes there is some DNS concerns.
    You do not have to run your own DNS server, that's complex for most.

    Questions 2.
    Blacklisting - yes if your setup is bad and you end up becoming a zombie and spam the world.
    Relay via ISP - yes, you can relay from zimbra via your ISP. You just need one account at your ISP. The login is used by the SMTP server at your ISP just to validate that the account is legit for accepting and sending emails.
    So you would use your comcast username and password to authenticate to the Comcast SMTP server. Zimbra handles that transaction. The issue is you have to know how to setup zimbra to do that. I will explain that later. At least how I was successful
    Changing Headers - If you were to look deeply at the header info you would see that the email is coming thru via comcast. What I do is in zimbra I go to preferences and change the reply to.This allows the regular users to communicate via the email address I specify. So I keep all that relay stuff and other domains behind the scene

  3. #3
    Join Date
    Oct 2009
    Posts
    147
    Rep Power
    5

    Default

    I will explain my setup and at least you will be able to get going with FOSS.
    I might differ a bit from you but the guts of what you want is here.

    Running Zimbra Behind a Dynamic IP
    ----------------------------------
    I have my domain.com running at my ISP. I have email, www, ftp and all that.
    I have my domain.org tied to my firewall and I use ZoneEdit.Com to handle the Dynamic DNS. All zoneedit does is know that for domain.org there's an IP and it answers to the world when anyone asks for Learn about .ORG Domain names and domain name registration - Domain.org, mail.domain.org, ftp.domain.org so you see the idea. domain.org must be known and can be found via the Internet. ZoneEdit handles this. It's free
    My firewall, IPCop, has a way to dynamically communicate with zoneedit if my IP changes. Since I'm on Comcast my dynamic IP can change. If you get a static, same thing, it just wouldn't change but ZoneEdit does the same work. This satisfies the major DNS stuff. Only other DNS stuff is when you setting up Zimbra. Later for that.

    So at my house, I have my IPCop firewall via my Dynamic DNS updates to ZoneEdit. Like any firewall, I can open ports to machines behind the firewall. Zimbra is a machine that will sit behind your firewall and have a local private ip, say 192.168.2.253. That's a private IP.
    Follow this instructions and open the right ports on your firewall to the zimbra machine.

    Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.
    Needed Ports
    Standard Zimbra ports

    * SMTP
    o port 25/tcp
    * HTTP
    o port 80/tcp
    * POP3
    o port 110/tcp
    * IMAP
    o port 143/tcp
    * LDAP
    o port 389/tcp should probably be limited by a firewall to your local network only
    * HTTPS
    o port 443/tcp
    * SMTPS
    o port 465/tcp
    * IMAPS
    o port 993/tcp
    * POP3S
    o port 995/tcp
    * Admin Interface
    o port 7071/tcp should probably be limited by a firewall to your local network only
    * LMTP
    o port 7025/tcp should probably be limited by a firewall to your local network only


    Here's what I did to install on Ubuntu 8.04 LTS. I adapted it for 10.04.1. I know it works for Ubuntu 8.04 I haven't done 10 yet. I stopped to help you. Let me say that the directives came from the wiki I posted about previously. I just wrote in my specifics so I can follow it a little better.

    Ubuntu 10.04 LTS Server (64-bit) Install Guide

    The following guide is for installing ZCS on Ubuntu Server 8.04 LTS. I have tested this guide with the 32-bit version of Ubuntu only; others will need to verify if any tweaks are necessary for a 64-bit installation.

    This installation is for a split-DNS setup, where the server resides on a DMZ and so needs to resolve to its own internal (DMZ subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.

    For simplicity's sake I'm referring to Zimbra's DMZ address as the "private ip address (10.168.8.4)" from here on. By that I mean the Zimbra box has only one IP address, it's on the DMZ, and can be seen by my LAN but not the public. When I say "public IP address (173.14.62.84)" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved in the world.

    * 1 Installing Ubuntu 10.04 LTS
    * 2 DNS
    * 3 Installing ZCS

    ------------------------------
    Installing Ubuntu 10.04 LTS
    ------------------------------
    Obtain your installation binary from Ubuntu at Download | Ubuntu. Be sure you download the LTS (Longterm Support) Server Edition, NOT the Desktop Edition. Burn the iso file to a CD and boot it in your server. There is an excellent, highly-detailed installation guide for this version at The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server) | HowtoForge - Linux Howtos and Tutorials. I highly recommend this guide, particularly if you are new to Linux or Ubuntu specifically. The following points need to be kept in mind as you install:

    1) The installation want to configure your LAN via DHCP. Cancel it before it gets that far, and manually configure it with a static IP address, netmask, and gateway. Don't put in a public DNS for your nameserver configuration; instead put in the same IP address that you just gave the machine for its own static IP (this won't let you resolve names on the internet until we do some more configuration below, but it saves headaches later).

    IP_Address: 192.168.218.253
    Netmask: 255.255.255.0
    Gateway: 192.168.218.254
    DNS1: 192.168.218.253

    2) When the installation asks for a hostname, give it only a one-word hostname (e.g. "mail" or "myserver") NOT the fully-qualified domain name (mail.mydomain.com). In the next screen where it asks for the domain name, give the "mydomain.com" part without the hostname.

    Hostname: mail
    DomainName: domain.org

    3) Make a small partition for swap (1.5-2x RAM) and the rest for the OS.
    I use 3 separate drives. A 40 gig and 2 similar size drives. One for the system, one for zimbra and one for backing up the entire system. Choose ext3 file system.
    Others will recommend separate partitions, RAID and so forth for mailstore, system, etc. Use your own judgement here.

    40 gig drive contains:
    swap
    /
    other drive 1 contains:
    /opt
    other drive 2 contains:
    /backup

    4) Once the base system has been installed, the installer will ask you for a username, and then a password for that user. This needs to be a non-root user. Whatever you choose, that username and password will be what you use to log in at the command line later, and the same password will be the password for sudo commands. Be sure you remember what you put in here!

    login: support password: xxxxxxxxx

    5) At the "Software Selection" screen, select DNS Server and OpenSSH Server options for installation, but nothing else. This will allow remote administration (SSH), and will install bind9 which you will need for split DNS.

    6) Run the following command to make sure you have all the necessary packages: sudo apt-get install bind9 dnsutils file libgmp3c2 libexpat1 libstdc++5 libltdl3 libperl5.8 perl curl libpcre3 libc6

    With these items, your installation will complete and the system will reboot.

    -----
    DNS
    -----
    On Ubuntu, check /etc/default/bind9 to see the root directory path for your bind installation. If not other path is specified, then it's most likely /etc/bind/

    Proper DNS configuration is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:


    Step 1.
    If you can't resolve your mailserver's own private IP address (NOT the public IP) using nslookup, fix it BEFORE you install Zimbra!

    If your installation above was successful, when you sign on at the command line you'll be able to ping public IP addresses if you know them, but you may not be able to resolve any names to ping them.


    Step 2.
    Now you have to configure the following files, which are in the directory /etc/bind (for brevity I've deleted the generic comment lines included by the distro). Note that the query-source address and forwarders lines are already there, they just need to be uncommented, and in the case of the forwarders, the ip addresses of your ISP's DNS servers need to be added. Note also that the syntax needs to be EXACTLY as shown below--leave out one semicolon or bracket and the whole thing blows up:

    /etc/bind/named.conf.options

    options {
    directory "/var/cache/bind";
    query-source address * port 53;
    forwarders {
    68.87.77.134; 68.87.72.134; // these are comcast DNS change if needed for your needs
    };
    auth-nxdomain no; # conform to RFC1035
    };

    the ip addresses on this file are public ip addresses of the DNS you use in the outside world. The line "query-source address * port 53" is to allow your machine to hit the DNS if oddball DNS ports are blocked. You can leave it commented if you don't need it.


    Step 3.
    Check /etc/resolv.conf and make sure it looks like this:
    nameserver xxx.xxx.xxx.xxx
    The IP address here should be the Zimbra box's private ip address.

    search domain.org
    nameserver 192.168.218.253


    Step 4.
    Once you've fixed these two files, restart bind

    /etc/init.d/bind9 restart

    you should be able to resolve names in the outside world. Try something like "ping google.com" and if you get an answer, you're on the way.

    Step 5.
    Now it's time to get the internal zone working. Append the following lines to /etc/bind/named.conf.local

    zone "domain.org" {
    type master;
    file "/etc/bind/db.domain.org";
    };

    Note that you need to type the full pathname to your db.* file. Also, be sure you don't miss a semicolon ";" in any of these lines that have them because a missing semicolon breaks the file.


    Step 6.
    Now create your file /etc/bind/db.domain.org

    ;
    ;BIND data file for domain.org
    ;
    $TTL 604800
    @ IN SOA mail.domain.org. admin.domain.org. (
    090767 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800 ) ; Negative Cache TTL
    ;
    @ IN NS mail
    IN MX 10 mail
    IN A 192.168.218.253
    mail IN A 192.168.218.253

    The ip address here is again your Zimbra internal ip address; the string "admin.domain.org" is replaced with the email address you are using for administration, only with a "." instead of the "@" in the address. Be careful to increment the serial number one higher every time you modify this file or the changes won't stick. Many users use the date they edit the file for the serial number, but as long as you start low and only get higher it really doesn't matter.


    Step 7.
    Now you may need to reboot the machine (restarting bind9 alone doesn't always work) and try to resolve your mail server.
    /etc/init.d/bind9 restart
    /sbin/init 6

    nslookup domain.org
    You should get output similar to this:

    Server: 192.168.218.253
    Address: 192.168.125.253#53

    Name: domain.org
    Address: 192.168.218.253

    If it returns your public IP address, xxx.xxx.xxx.xxx, your internal DNS is not working.
    Fix it, when this failed it was because I placed the wrong IP in /etc/resolv.conf file.


    Step 8.
    Before you get to the install you also need to modify your /etc/hosts file:
    127.0.0.1 localhost.localdomain localhost
    192.168.218.253 mail.domain.org mail


    Step 9.
    sudo apt-get install bind9 dnsutils file libgmp3c2 libexpat1 libstdc++5 libltdl3 libperl5.8 perl curl libpcre3 libc6

    It's now time to update your packages:
    sudo bash (this will ask for your password, enter your administrator's pw, then you'll be at a root prompt)
    apt-get upgrade; apt-get update

    ---------------end--------------

    So, the above showed how to handle the DNS issue on the Ubuntu server which will become the zimbra machine. They call this split DNS.

    Now you need to install Zimbra. I assume you know how to do that. If you don't post for help.

    I will now address the SMTP authentication. Basically, how do you tell zimbra to relay properly. As always, I read this in the wiki and just wrote it more in the form of a script with my info. I always give credit where do. I'm just a rookie on this allstar forum of bright ppl
    So, zimbra isinstalled and you can ssh to the machine and sudo and then su - zimbra. So do this as zimbra user.

    zmprov ms mail.domain.org zimbraMtaRelayHost mail.domain.com:25;
    echo mail.domain.com userid@domain.com:theactualpassword > /opt/zimbra/conf/relay_password;
    postmap hash:/opt/zimbra/conf/relay_password;

    postmap -q mail.domain.com /opt/zimbra/conf/relay_password;
    postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password;
    postconf -e smtp_sasl_auth_enable=yes;

    postconf -e smtp_use_tls=yes;
    postfix reload;
    postconf -e smtp_cname_overrides_servername=no;
    postconf -e smtp_sasl_security_options=noanonymous
    postfix reload;

    zmlocalconfig -e postfix_smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password;
    zmlocalconfig -e postfix_smtp_sasl_auth_enable=yes;
    zmlocalconfig -e postfix_smtp_use_tls=yes;
    zmlocalconfig -e postfix_smtp_cname_overrides_servername=no;
    zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous;

    zmprov mcf zimbraLastLogonTimestampFrequency 1h;
    zmprov mcf zimbraDefaultDomainName domain.org;

    --------------------end----------------------

    I've used this and it works. Dunno if this is best way but I was successful. Others will make it better.

    Reboot and you should be able to send some test messages back and forth.
    Check /var/log/zimbra.log to see if messages are going out properly.

    In each zimbra account, you will want to change their preference reply-to email address to userid@domain.com. Hopefully its clear that your main mail server is domain.com. Zimbra is running on domain.org and thus everything in zimbra will say .org. If you change that preference the emails will flow right. You will be receiving emails to zimbra because you actually forward a copy to the same userid@domain.org. Zimbra relays outbound mail via your ISP because you setup that relay earlier.

    Yes, I know I have the email in 2 places. I want that. I've had Zimbra go down. Users then was sent to https://domain.com until zimbra came back. Better than nothing.

    I normally rerun the authentication after each zimbra release upgrade.

    I hope this helps you out

  4. #4
    Join Date
    Jan 2011
    Posts
    4
    Rep Power
    4

    Default

    Wow,

    Well I definitely thank you for taking the time to post such a thorough reply to my question. I've already been using zimbra for some time now, but if I run into problems setting up multiple external accounts or the smtp relay, I'll be sure to look at your guide.

    In your first post, though, you mentioned that the header would contain comcast's server. From what I understand, any and all jumps that the message takes will show up behind the scenes in the header; my question is whether the basic "From" field would show my business' domain, or comcast's.

    Thanks

  5. #5
    Join Date
    Oct 2009
    Posts
    147
    Rep Power
    5

    Default

    Your domain is what will show.
    Basically, whatever you put in the Reply-To field in the Preferences -> Accounts area. I would assume you would put your own domain.

Similar Threads

  1. [SOLVED] Routing specific accounts to another server
    By leebrent in forum Administrators
    Replies: 1
    Last Post: 03-19-2008, 12:23 AM
  2. Replies: 10
    Last Post: 09-10-2007, 12:30 PM
  3. Temporary DNS Outage Completely owns Zimbra server
    By ronnyek in forum Administrators
    Replies: 2
    Last Post: 07-16-2007, 09:35 AM
  4. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 10:34 PM
  5. Replies: 2
    Last Post: 07-13-2006, 10:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •