I tried to hide my mail server real IP address, one of them happens to be using the Orange-Clouded the Cloudflare DNS.
The web client works. Sending, receiving mail, it works. However when we tried to open the admin console (Port 7071), it timed out. Accessing the admin console through IP address works tho (Google Chrome says it's not secure. So we did not try to login. It is still timed out when accessing through https://zimbra.example.com:7071/ZimbraAdmin)
Admin Console does not work under Orange-Clouded Cloudflare DNS
-
JDunphy
- Outstanding Member
- Posts: 897
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Admin Console does not work under Orange-Clouded Cloudflare DNS
That is very interesting that you are proxying your zimbra server behind CF. A few ideas based on this: https://support.cloudflare.com/hc/en-us ... work-with-yohoho wrote:I tried to hide my mail server real IP address, one of them happens to be using the Orange-Clouded the Cloudflare DNS.
The web client works. Sending, receiving mail, it works. However when we tried to open the admin console (Port 7071), it timed out. Accessing the admin console through IP address works tho (Google Chrome says it's not secure. So we did not try to login. It is still timed out when accessing through https://zimbra.example.com:7071/ZimbraAdmin)
1) Use another name that isn't proxyied (gray clouded and not orange-clouded) so that you can get to port 7071 via this other name... ie. https://zimbraAdmin.example.com:7071/ZimbraAdmin that is a cname to zimbra.example.com in your example.
2) Investigate changing port 7071 to something that CF can use as an origin server port
3) Investigate updating zimbra's nginx so that /ZimbraAdmin is off of port 443. (not recommended)
IMO, you want it on port 7071 so you can restrict access to your trusted ip space via the destination port + src address. If you haven't done so, you can also block access on your zimbra.example.com server for only the CF servers ip range to further mitigate direct attacks on your zimbra server. see: https://www.cloudflare.com/ips/. You can still see attacks via that CF range but now you have CF doing deep packet inspection that can do interesting things like put up a captcha for access or rate limit, etc, etc. You will need to make sure: X-Forwarded-For is working so you don't end up with spoofing attacks or other zimbra dosFilter oddities. https://serverfault.com/questions/31457 ... eems-wrong ... Checking your zimbra logs should be enough after observing a login cycle. The issue is you have CF nginx that proxies to zimbra nginx that proxies to zimbra (ip chaining).
BTW, you are the first I have heard of using CF in front of Zimbra. I am intrigued that this works given the WAF rules. Congratulations!
Hint:
https://wiki.zimbra.com/wiki/Ports - zimbraAdminBindAddress
viewtopic.php?t=59398
Re: Admin Console does not work under Orange-Clouded Cloudflare DNS
I do not understand about IT world. I read the wiki and follow it blindly. I believe I do not do something different, not to mention, I use grey-clouded cloudflare atm because I need to access the Admin Console.JDunphy wrote:That is very interesting that you are proxying your zimbra server behind CF. A few ideas based on this: https://support.cloudflare.com/hc/en-us ... work-with-yohoho wrote:I tried to hide my mail server real IP address, one of them happens to be using the Orange-Clouded the Cloudflare DNS.
The web client works. Sending, receiving mail, it works. However when we tried to open the admin console (Port 7071), it timed out. Accessing the admin console through IP address works tho (Google Chrome says it's not secure. So we did not try to login. It is still timed out when accessing through https://zimbra.example.com:7071/ZimbraAdmin)
1) Use another name that isn't proxyied (gray clouded and not orange-clouded) so that you can get to port 7071 via this other name... ie. https://zimbraAdmin.example.com:7071/ZimbraAdmin that is a cname to zimbra.example.com in your example.
2) Investigate changing port 7071 to something that CF can use as an origin server port
3) Investigate updating zimbra's nginx so that /ZimbraAdmin is off of port 443. (not recommended)
IMO, you want it on port 7071 so you can restrict access to your trusted ip space via the destination port + src address. If you haven't done so, you can also block access on your zimbra.example.com server for only the CF servers ip range to further mitigate direct attacks on your zimbra server. see: https://www.cloudflare.com/ips/. You can still see attacks via that CF range but now you have CF doing deep packet inspection that can do interesting things like put up a captcha for access or rate limit, etc, etc. You will need to make sure: X-Forwarded-For is working so you don't end up with spoofing attacks or other zimbra dosFilter oddities. https://serverfault.com/questions/31457 ... eems-wrong ... Checking your zimbra logs should be enough after observing a login cycle. The issue is you have CF nginx that proxies to zimbra nginx that proxies to zimbra (ip chaining).
BTW, you are the first I have heard of using CF in front of Zimbra. I am intrigued that this works given the WAF rules. Congratulations!
Hint:
https://wiki.zimbra.com/wiki/Ports - zimbraAdminBindAddress
viewtopic.php?t=59398
Sorry for the late reply, atm I am trying to install ownCloud 10.1 w/ Zimbra Drive (stuck because of compatibility, viewtopic.php?f=15&t=65843)
I will follow up here for the result tomorrow or after 25/3. Thank you JDunphy
Re: Admin Console does not work under Orange-Clouded Cloudflare DNS
In this case, I'd recommend waf.
As it is stated on https://www.ptsecurity.com/ww-en/products/af/PT AF helps to ensure compliance with PCI DSS and other international, national, industry, and corporate security standards.