Securing Zimbra

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
msmcknight
Advanced member
Advanced member
Posts: 117
Joined: Sat Sep 13, 2014 12:27 am

Securing Zimbra

Post by msmcknight »

Hi everyone,

My ZCS 8.8.8p2 environment is working and is stable and now I'm looking to secure it a little more...

I'm trying to follow the guide at: https://wiki.zimbra.com/wiki/SecureConfiguration

But when I get to Services Step #2 and enter:

Code: Select all

zmprov ms `zmhostname` zimbraMailMode https
My server fails to connect. Users trying to login via the webclient get this error before the initial login page even loads:

Code: Select all

HTTP ERROR 502

Problem accessing ZCS upstream server. Cannot connect to the ZCS upstream server. Connection is refused.
Possible reasons:

    upstream server is unreachable
    upstream server is currently being upgraded
    upstream server is down

Please contact your ZCS administrator to fix the problem.


Powered by Nginx-Zimbra://
And the access log shows:

Code: Select all

10.1.2.3:53653 - - [06/Oct/2018:04:39:57 -0400]  "GET https://zimbra.example.com/zimbra/ HTTP/1.1" 502 1332 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "10.1.2.4:8080" "10.1.2.4:5443"
I'm not sure where to look for this problem. I think it's trying to communicate with the mailstore via HTTPS, but I don't know how to tell the mailstore to listen on 5443. Of course, I could be completely wrong... just a wild guess.

Any help would be appreciated.

Thank you
msmcknight
Advanced member
Advanced member
Posts: 117
Joined: Sat Sep 13, 2014 12:27 am

Re: Securing Zimbra

Post by msmcknight »

Hi everyone,

Just a bump here. If anyone can offer assistance with this, it would be greatly appreciated!
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Securing Zimbra

Post by L. Mark Stone »

So FWIW 8.8.8 is now past end of General Support https://www.zimbra.com/support/support- ... lifecycle/

But an upgrade I suspect won't fix your issue.

The attribute you changed controls only how mailboxd listens for connections from the nginx proxy; it does not control how the backend of the proxy will talk to mailboxd. That setting is controlled by zimbraReverseProxySSLToUpstreamEnabled, also noted in the wiki article, so you'll need to change that too -- or revery the setting you changed.

Note that the 8.8 series comes preconfigured with secure interprocess communication enabled by default in the installer scripts, so in most cases you shouldn't have to have had to do any of this.

FWIW, I prefer that the Internet-facing side of the proxy be configured to do redirects (zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect) and that the proxy and mailboxd talk to each other only over https (set both zmprov ms `zmhostname` zimbraMailMode https AND zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE)

Hope that helps,
Mark

P.S. You'll also need to confirm that mailboxd's ports are configured correctly, with proxy listening on for example 443 and mailboxd listening on 8443. The https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached article covers this if you need to make those changes as well.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply