Question related to DMZ

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Posts: 46
Joined: Fri Sep 12, 2014 11:55 pm

Question related to DMZ

Postby k_k » Tue Nov 16, 2010 11:40 am

in our current setup, mail server is connected in internal network as mentioned below :

internet request --> Firewall --> Network load balancer --> zimbra mail server.

Our client are using outlook + zimbra web mail.
below ports are open on internet :





443 --> for webmail

80 --> for antivirus update
We are supporting 1000 users with 2 different domains on single server installation...and may be in future we will migrate to multi-server installation for horizontal scalability.
Now our architecture team is suggesting to move mail server to DMZ network.

I gone through few DMZ related post in this forum..
I just need to understand is this a best practice ? And which things we need to consider as per security aspect ??
Please help.

Thanks in advance.

Posts: 46
Joined: Fri Sep 12, 2014 11:55 pm

Question related to DMZ

Postby k_k » Mon Nov 22, 2010 2:57 am

can anyone please guide me for the same ?
Posts: 26677
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Question related to DMZ

Postby phoenix » Mon Nov 22, 2010 5:33 am

[quote user="k_k"]can anyone please guide me for the same ?[/QUOTE]Why not ask your architecture team why they want to do that? As far as I'm concerned putting any server in the DMZ is the same as putting it on an exposed internet IP address and totally insecure, you need to (very) carefully consider what needs to be done. If you don't know what you're doing I'd advise you to get some expert advice on setting-up a server in a DMZ.
You could also start with some articles from the internet:
SolutionBase: Deploying a DMZ on your network

+"best practice" +dmz +"mail server" - Yahoo! Search Results


Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

Question related to DMZ

Postby uxbod » Mon Nov 22, 2010 8:19 am

If you are wishing to use a DMZ then go for a multi-server setup and proxy connections through to the backend. I am guessing your architecture team are trying to eliminate an attack vector by moving the server outside of the internal network.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 6 guests