Remote connections

Ask questions about your setup or get help installing ZCS server (ZD section below).
Rocketrrt
Posts: 10
Joined: Wed Feb 21, 2018 5:44 pm

Remote connections

Postby Rocketrrt » Fri Mar 02, 2018 6:28 pm

Hi,

I have installed the Network edition 8.8.6 with a trail license. I am using split DNS and I used the wiki to install it. Everything works fine on the server machine. I set zdesktop (7.3.1 64 bit) using the zimbra type and evolution using imap. there are using the server ip address (192.XXX.XXX.XXX). When I try to connect from a remote machine not the same network using public IP 172.95.84.4. With zdesktop (using zimbra connection type)I get the following error: service.FAILURE: system failure: error while proxying request to target server: HTTP/1.1 503 Service Unavailable

with evolution (Using imap) get the error : Could not connect to 172.95.84.4 socket I/O timed out. I have searched the forum and it is not DoSFilter problem that I found. The logs are clean that the wiki says to look at. I can send and receive e-mail to/from external e-mail address.

I am not sure what to look at, any help would greatly appreciated.

Thanks,

Ron


Labsy
Outstanding Member
Outstanding Member
Posts: 346
Joined: Sat Sep 13, 2014 12:52 am

Re: Remote connections

Postby Labsy » Sun Mar 04, 2018 1:24 pm

Hi,

I asked you about routing before, but you probably forgot to answer :)
Ok, No problem...I guess you have Zimbra behind firewall and NAT translation from public IP 172.95.84.4 to Zimbra LAN IP 192.168.x.x. You should have Port Forward rules on your Firewall/NAt device for ports 25 for SMTP inbound, 465 and 587 for SMTP+TLS cleints, 993 for IMAP+TLS and 995 for POP3+TLS cleints. Those are SSL/TLS ports (except of SMTP 25 port for incoming mail).
If you want to allow not-recommended plain-text mail retreival ports for remote clients, you should port-forward also 143 for IMAP and 110 for POP3, both are not secure and not recommended!
That's about your firewall/router.

Now Zimbra.
Zimbra from 8.6 version forward has mandatory nginx proxy service installed, which sits inbetween PUBLICALY VISIBLE client retreival ports (465, 587, 993, 995 and 443) and INTERNAL Zimbra listening ports. The mapping of nginx proxy goes like this:
IMAPS public port 993 is proxied internally to Zimbra local port 7993.
IMAP public port 143 is proxied internally to Zimbra local port 7143
POP3 public port 110 is proxied internally to Zimbra local port 7110
POP3S public port 995 is proxied internally to Zimbra local port 7995
HTTP public port 80 is proxied internally to Zimbra local port 8080
HTTPS public port 443 is proxied internally to Zimbra local port 8443

There are some prerequisiites for everything to work properly:
1.) Zimbra hostname must be configured properly. PING and NSLOOKUP zimbra hostname must return the same INTERNAL Zimbra IP (because you are behind NAT router).
2.) SplitDNS for behind router config must take care, that PING and NSLOOKUP from inside LAN will returne Zimbra's INTERNAL IP 192.168.x.x, while PING and NSLOOKUP from public side will return Zimbra's public IP 172.95.84.4
3.) Zimbra's hosts file and resolvers must resolve zimbra's hostname to internal IP 192.168.x.x

Then I suggest you re-run zimbra ./install.sh again, and make sure you select (Y) to install zimbra nginx proxy and zimbra memcached. After installation check as zimbra user to make sure all services are up and runing. The installer script will make sure all services are setup correctly:

Code: Select all

 su - zimbra
zimbra@yourserver:~$ zmcontrol status
Host yourzimbra.yourdomain.com
        amavis                  Running
        antispam                Running
        antivirus               Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy                   Running
        service webapp          Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zimbra webapp           Running
        zimbraAdmin webapp      Running
        zimlet webapp           Running
        zmconfigd               Running

Then check, if all ports are listening properly on Zimbra's upstream and nginx proxy side.
Look for each port to see it is PAIRED according to above proxy map, public port --> local port:

Code: Select all

 netstat -anp | grep 993 | grep LIST
tcp        0      0 0.0.0.0:7993            0.0.0.0:*               LISTEN      3229/java
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      3498/nginx.conf
 netstat -anp | grep 995 | grep LIST
tcp        0      0 0.0.0.0:7995            0.0.0.0:*               LISTEN      3229/java
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      3498/nginx.conf

Report back with your results.
Rocketrrt
Posts: 10
Joined: Wed Feb 21, 2018 5:44 pm

Re: Remote connections

Postby Rocketrrt » Mon Mar 05, 2018 3:18 pm

Hi,

Thanks for the help.
I am using NAT translation and the ports are open, I have a Apache James server and Icewarp server working,

Zimbra Services

Code: Select all

[zimbra@mail ~]$ zmcontrol status
Host mail.spears-research.com
   amavis                  Running
   antispam                Running
   antivirus               Running
   convertd                Running
   imapd                   Running
   ldap                    Running
   logger                  Running
   mailbox                 Running
   memcached               Running
   mta                     Running
   opendkim                Running
   proxy                   Running
   service webapp          Running
   snmp                    Running
   spell                   Running
   stats                   Running
   zimbra webapp           Running
   zimbraAdmin webapp      Running
   zimlet webapp           Running
   zmconfigd               Running


hostname:

Code: Select all

[root@mail rtidwell]# host $(hostname)
mail has address 192.168.0.8

The check on ports:

Code: Select all

[root@mail rtidwell]# netstat -anp | grep 993 | grep LIST
tcp        0      0 0.0.0.0:7993            0.0.0.0:*               LISTEN      25524/java         
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      25853/nginx: master
tcp6       0      0 :::8993                 :::*                    LISTEN      27589/java         


Code: Select all

[root@mail rtidwell]# netstat -anp | grep 993 | grep LIST
[root@mail rtidwell]# netstat -anp | grep 995 | grep LIST
tcp        0      0 0.0.0.0:7995            0.0.0.0:*               LISTEN      25524/java         
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      25853/nginx: master


Do I need a nginx.conf file?

ping on machine outside of network.

Code: Select all

PING mail.spears-research.com (172.95.84.4) 56(84) bytes of data.
64 bytes from spears-research.com (172.95.84.4): icmp_seq=1 ttl=55 time=15.5 ms
64 bytes from spears-research.com (172.95.84.4): icmp_seq=2 ttl=55 time=14.0 ms
64 bytes from spears-research.com (172.95.84.4): icmp_seq=3 ttl=55 time=14.4 ms
^C
--- mail.spears-research.com ping statistics ---


ping on on server machine.

Code: Select all

PING mail.spears-research.com (192.168.0.8) 56(84) bytes of data.
64 bytes from mail.spears-research.com (192.168.0.8): icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from mail.spears-research.com (192.168.0.8): icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from mail.spears-research.com (192.168.0.8): icmp_seq=3 ttl=64 time=0.051 ms
^C
--- mail.spears-research.com ping statistics ---


Thanks for the help,

Ron

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 3 guests