Hi,
I have installed the Network edition 8.8.6 with a trail license. I am using split DNS and I used the wiki to install it. Everything works fine on the server machine. I set zdesktop (7.3.1 64 bit) using the zimbra type and evolution using imap. there are using the server ip address (192.XXX.XXX.XXX). When I try to connect from a remote machine not the same network using public IP 172.95.84.4. With zdesktop (using zimbra connection type)I get the following error: service.FAILURE: system failure: error while proxying request to target server: HTTP/1.1 503 Service Unavailable
with evolution (Using imap) get the error : Could not connect to 172.95.84.4 socket I/O timed out. I have searched the forum and it is not DoSFilter problem that I found. The logs are clean that the wiki says to look at. I can send and receive e-mail to/from external e-mail address.
I am not sure what to look at, any help would greatly appreciated.
Thanks,
Ron
Remote connections
Re: Remote connections
Hi,
I asked you about routing before, but you probably forgot to answer
Ok, No problem...I guess you have Zimbra behind firewall and NAT translation from public IP 172.95.84.4 to Zimbra LAN IP 192.168.x.x. You should have Port Forward rules on your Firewall/NAt device for ports 25 for SMTP inbound, 465 and 587 for SMTP+TLS cleints, 993 for IMAP+TLS and 995 for POP3+TLS cleints. Those are SSL/TLS ports (except of SMTP 25 port for incoming mail).
If you want to allow not-recommended plain-text mail retreival ports for remote clients, you should port-forward also 143 for IMAP and 110 for POP3, both are not secure and not recommended!
That's about your firewall/router.
Now Zimbra.
Zimbra from 8.6 version forward has mandatory nginx proxy service installed, which sits inbetween PUBLICALY VISIBLE client retreival ports (465, 587, 993, 995 and 443) and INTERNAL Zimbra listening ports. The mapping of nginx proxy goes like this:
IMAPS public port 993 is proxied internally to Zimbra local port 7993.
IMAP public port 143 is proxied internally to Zimbra local port 7143
POP3 public port 110 is proxied internally to Zimbra local port 7110
POP3S public port 995 is proxied internally to Zimbra local port 7995
HTTP public port 80 is proxied internally to Zimbra local port 8080
HTTPS public port 443 is proxied internally to Zimbra local port 8443
There are some prerequisiites for everything to work properly:
1.) Zimbra hostname must be configured properly. PING and NSLOOKUP zimbra hostname must return the same INTERNAL Zimbra IP (because you are behind NAT router).
2.) SplitDNS for behind router config must take care, that PING and NSLOOKUP from inside LAN will returne Zimbra's INTERNAL IP 192.168.x.x, while PING and NSLOOKUP from public side will return Zimbra's public IP 172.95.84.4
3.) Zimbra's hosts file and resolvers must resolve zimbra's hostname to internal IP 192.168.x.x
Then I suggest you re-run zimbra ./install.sh again, and make sure you select (Y) to install zimbra nginx proxy and zimbra memcached. After installation check as zimbra user to make sure all services are up and runing. The installer script will make sure all services are setup correctly:
Then check, if all ports are listening properly on Zimbra's upstream and nginx proxy side.
Look for each port to see it is PAIRED according to above proxy map, public port --> local port:
Report back with your results.
I asked you about routing before, but you probably forgot to answer
Ok, No problem...I guess you have Zimbra behind firewall and NAT translation from public IP 172.95.84.4 to Zimbra LAN IP 192.168.x.x. You should have Port Forward rules on your Firewall/NAt device for ports 25 for SMTP inbound, 465 and 587 for SMTP+TLS cleints, 993 for IMAP+TLS and 995 for POP3+TLS cleints. Those are SSL/TLS ports (except of SMTP 25 port for incoming mail).
If you want to allow not-recommended plain-text mail retreival ports for remote clients, you should port-forward also 143 for IMAP and 110 for POP3, both are not secure and not recommended!
That's about your firewall/router.
Now Zimbra.
Zimbra from 8.6 version forward has mandatory nginx proxy service installed, which sits inbetween PUBLICALY VISIBLE client retreival ports (465, 587, 993, 995 and 443) and INTERNAL Zimbra listening ports. The mapping of nginx proxy goes like this:
IMAPS public port 993 is proxied internally to Zimbra local port 7993.
IMAP public port 143 is proxied internally to Zimbra local port 7143
POP3 public port 110 is proxied internally to Zimbra local port 7110
POP3S public port 995 is proxied internally to Zimbra local port 7995
HTTP public port 80 is proxied internally to Zimbra local port 8080
HTTPS public port 443 is proxied internally to Zimbra local port 8443
There are some prerequisiites for everything to work properly:
1.) Zimbra hostname must be configured properly. PING and NSLOOKUP zimbra hostname must return the same INTERNAL Zimbra IP (because you are behind NAT router).
2.) SplitDNS for behind router config must take care, that PING and NSLOOKUP from inside LAN will returne Zimbra's INTERNAL IP 192.168.x.x, while PING and NSLOOKUP from public side will return Zimbra's public IP 172.95.84.4
3.) Zimbra's hosts file and resolvers must resolve zimbra's hostname to internal IP 192.168.x.x
Then I suggest you re-run zimbra ./install.sh again, and make sure you select (Y) to install zimbra nginx proxy and zimbra memcached. After installation check as zimbra user to make sure all services are up and runing. The installer script will make sure all services are setup correctly:
Code: Select all
su - zimbra
zimbra@yourserver:~$ zmcontrol status
Host yourzimbra.yourdomain.com
amavis Running
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
snmp Running
spell Running
stats Running
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
zmconfigd Running
Look for each port to see it is PAIRED according to above proxy map, public port --> local port:
Code: Select all
netstat -anp | grep 993 | grep LIST
tcp 0 0 0.0.0.0:7993 0.0.0.0:* LISTEN 3229/java
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 3498/nginx.conf
netstat -anp | grep 995 | grep LIST
tcp 0 0 0.0.0.0:7995 0.0.0.0:* LISTEN 3229/java
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 3498/nginx.conf
Re: Remote connections
Hi,
Thanks for the help.
I am using NAT translation and the ports are open, I have a Apache James server and Icewarp server working,
Zimbra Services
hostname:
The check on ports:
Do I need a nginx.conf file?
ping on machine outside of network.
ping on on server machine.
Thanks for the help,
Ron
Thanks for the help.
I am using NAT translation and the ports are open, I have a Apache James server and Icewarp server working,
Zimbra Services
Code: Select all
[zimbra@mail ~]$ zmcontrol status
Host mail.spears-research.com
amavis Running
antispam Running
antivirus Running
convertd Running
imapd Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
snmp Running
spell Running
stats Running
zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running
zmconfigd Running
Code: Select all
[root@mail rtidwell]# host $(hostname)
mail has address 192.168.0.8
Code: Select all
[root@mail rtidwell]# netstat -anp | grep 993 | grep LIST
tcp 0 0 0.0.0.0:7993 0.0.0.0:* LISTEN 25524/java
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 25853/nginx: master
tcp6 0 0 :::8993 :::* LISTEN 27589/java
Code: Select all
[root@mail rtidwell]# netstat -anp | grep 993 | grep LIST
[root@mail rtidwell]# netstat -anp | grep 995 | grep LIST
tcp 0 0 0.0.0.0:7995 0.0.0.0:* LISTEN 25524/java
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 25853/nginx: master
ping on machine outside of network.
Code: Select all
PING mail.spears-research.com (172.95.84.4) 56(84) bytes of data.
64 bytes from spears-research.com (172.95.84.4): icmp_seq=1 ttl=55 time=15.5 ms
64 bytes from spears-research.com (172.95.84.4): icmp_seq=2 ttl=55 time=14.0 ms
64 bytes from spears-research.com (172.95.84.4): icmp_seq=3 ttl=55 time=14.4 ms
^C
--- mail.spears-research.com ping statistics ---
Code: Select all
PING mail.spears-research.com (192.168.0.8) 56(84) bytes of data.
64 bytes from mail.spears-research.com (192.168.0.8): icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from mail.spears-research.com (192.168.0.8): icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from mail.spears-research.com (192.168.0.8): icmp_seq=3 ttl=64 time=0.051 ms
^C
--- mail.spears-research.com ping statistics ---
Ron