Views on Public vs. NAT'd IP and Bind

L. Mark Stone · Post by **L. Mark Stone** » Thu Oct 12, 2006 12:05 pm

We are about to set up a new Network Edition Zimbra server, and I'd like to get everyone's views on the pluses and minuses of different configurations, please.
Specifically, we are looking for opinions on the use of Public vs. NAT'd IP addresses for the Zimbra server as well as whether to run BIND on the Zimbra server.
Our sense from the docs is that the traditional Zimbra install (let's keep this as a single server install for the moment) has the Zimbra server configured with a public IP address and a running installation of BIND configured with zone files for the domains installed on the Zimbra server.
Our existing Zimbra install has our server configured with a private IP address (NAT'd from the public IP by our firewall), and no BIND installed (instead relying on the local DNS servers provided by our colo host).
We have built many Postfix/Cyrus servers, so we understand the need for a fast, local DNS server (especially for Postfix's anti-UCE capabilities). But we have seen DNS servers get hammered frequently so would like to avoid running BIND if possible.
What are your preferred way(s) of setting up Zimbra?
TIA,

Mark

scalper · Post by **scalper** » Thu Oct 12, 2006 1:05 pm

My zimbra NE setup is quite similar to your proposed setup. Two servers on private network 10.0.0.x. The smtp & mailbox server NATd against our public IPs to handle in/out mails. Meanwhile, my ldap/backup server dont have public IPs.
As for DNS, I have set-up 2 dns (already available at the installation time at two separate boxes). Internal dns for local usage and external dns for outside usage. By having the internal dns, somehow our local mail traffic is well diverted locally without going to the outside and back to the inside.
Basically, thats it. Its been running fine.. at least for now

L. Mark Stone · Post by **L. Mark Stone** » Thu Oct 12, 2006 1:33 pm

[quote user="scalper"]

By having the internal dns, somehow our local mail traffic is well diverted locally without going to the outside and back to the inside.

[/QUOTE]
From the logs we see that the internal lmtp transport of mail takes place over the public IP of the server. We didn't want just anyone to be able to inject email into Cyrus, so we needed to configure firewall rules to allow lmtp only from the Zimbra server to the Zimbra server. We also didn't find any way to change this, other than manually editing the Zimbra config files, which we don't want to do!
Having an internal DNS server with the private, rather than public IP of the Zimbra host is possibly how you are keeping internal transports internal.
Would you mind confirming that your internal DNS server uses private IPs for the Zimbra MTA (Postfix) and mail store (Cyrus) servers?
Thanks,

Mark

bjared · Post by **bjared** » Thu Oct 12, 2006 1:40 pm

If you're looking for a speedy and stable dns server (authoritative or recursive), I'd recommend Dan Bernstein's dnscache and tinydns programs. I haven't used BIND since 2000, and will never go back.
http://cr.yp.to/djbdns.html
(This is the same guy that gives us qmail.) You can seperate locations "public and private" based on a defined access list, etc. It's industrial-strength. I worked for one of the top web sites in the world, and they use djbdns exclusively (do Windows domain controllers count?).
As for networking with Zimbra, we use zimbra behind a firewall on a non-routable IPv4 subnet, and use apache as an SSL proxy for external access, where we can restrict access to only the appropriate zimbra URLs.
--Brian

scalper · Post by **scalper** » Thu Oct 12, 2006 1:51 pm

[quote user="LMStone"]

Having an internal DNS server with the private, rather than public IP of the Zimbra host is possibly how you are keeping internal transports internal.
Would you mind confirming that your internal DNS server uses private IPs for the Zimbra MTA (Postfix) and mail store (Cyrus) servers?

[/QUOTE]
Yes. Internal DNS maps private IPs for both servers. Heres a snippet from my nslookup for my mta svr. (I have to alter domain/public IP for privacy if you dont mind)

> server 10.0.0.2

> pluto.domain.net

Server: 10.0.0.2

Address: 10.0.0.2#53
Name: pluto.domain.net

Address: 10.0.0.188
>server 203.x.x.x

> pluto.domain.net

Server: 203.x.x.x

Address: 203.x.x.x#53
Name: pluto.domain.net

Address: 219.x.x.x
For the outside DNS is abit confusing. My place have 2 uplinks to the outside (203.x.x.x & 219.x.x.x). DNS resides at the 128kbps line with IP 203.x.x.x. Currently the MTA svr is being NATd to the 2Mbps SDSL line with IP 219.x.x.x which is faster and more suitable for zimbra.

For MX records, I added 2 separate records for internal and external. It is no point if the MX record is only recorded at the external DNS as it will also redirect emails outside and back to the inside.
> domain.net

Server: 10.0.0.2

Address: 10.0.0.2#53
domain.net mail exchanger = 10 support.domain.net.

domain.net mail exchanger = 0 pluto.domain.net.
> domain.net

Server: 203.x.x.x

Address: 203.x.x.x#53
domain.net mail exchanger = 10 support.domain.net.

domain.net mail exchanger = 0 pluto.domain.net.

dijichi2 · Post by **dijichi2** » Thu Oct 12, 2006 4:28 pm

[QUOTE]If you're looking for a speedy and stable dns server (authoritative or recursive), I'd recommend Dan Bernstein's dnscache and tinydns programs. I haven't used BIND since 2000, and will never go back.[/QUOTE]
agreed, bind is a truly horrible, bloated, bugridden, unnecessarily complex piece of cr4p. however, if you dont want to step into the mad psychedelic world of the raving loony djb, try http://www.powerdns.com