[SOLVED] Howto: Bind to one specific IP / Listen to one IP

MrDigi · Post by **MrDigi** » Sun Feb 04, 2007 8:10 am

Hi guys,
I've read a lot of questions how to bind zimbra to only one specific IP address, even if you have more than one IP on your linux host.
In this post I want to give you a small howto and tell you a little bit about my experiences with binding zimbra to only one IP.
I've tested these options with Zimbra 4.5 Open-Source Edition.

Attention: As Zimbra 5 uses jetty instead of tomcat this howto is not completely compatible with Zimbra 5!
First of all, what services do we have and how do they bind by default:
- postfix (smtp): binds to any IP and to localhost

- amavisd-new: binds to localhost

- mysql: binds to localhost

- ldap: binds one IP (that hostname) given at setup

- clamd: binds to any IP

- Tomcat (http, https, ..): binds to any IP

- Zimbra java (imap(s), pop3(s)): binds to any IP

- Apache (ispell, Port 7780): binds to any IP
So the services amavisd-new, mysql and ldap behave already very cooperative.
postfix:

Postfix binds to any IP by default. You can change its behaviour by modifying postfix-2.2.9/conf/master.cf to (replace vvv.xxx.yyy.zzz with yourIP):

#=========================================================================

# service type private unpriv chroot wakeup maxproc command + args

# (yes) (yes) (yes) (never) (100)

# ==========================================================================

vvv.xxx.yyy.zzz:smtp inet n - n - - smtpd(Hint for those who could ask: It is not a good idea to use smtp_bind_address, because with this option postfix binds even for outgoing connections to the IP set and can't connect then to amavisd-new which is listening on the localhost interface)
Tomcat:

Tomcat binds to any IP by default. You can change its behaviour by adding address="..." to your apache-tomcat-5.5.15/conf/server.xml.in (replace vvv.xxx.yyy.zzz with your IP):

...

address="vvv.xxx.yyy.zzz"

acceptCount="1024" URIEncoding="UTF-8"

...

address="vvv.xxx.yyy.zzz"

acceptCount="1024" URIEncoding="UTF-8"

...

Zimbra java

The Zimbra services listen to any IP address by default.
The Zimbra java application reads its configuration values for imap, pop3, imaps, pop3s from the ldap directory. Although there is no possibility to change its listening ip address by the webinterface (ok, there is one, but only for pop3) it is possible by directly adding the config params into ldap.

So you first have to connect to the ldap server (i.e. with the ldap browser at http://www.iit.edu/~gawojar/ldap). Read Ldap hints* for more information how to connect.
Now you can add the following attributes (as String) under the directory cn=servers,cn= and give them your IP vvv.xxx.yyy.zzz as value:

zimbraPop3BindAddress

zimbraPop3SSLBindAddress

zimbraImapBindAddress

zimbraImapSSLBindAddress

zimbraLmtpSSLBindAddressApache:

Apache binds to any IP by default. Edit conf/apache.conf and modify the following lines (replace vvv.xxx.yyy.zzz with your IP):

...

# Change this to Listen on specific IP addresses as shown below to

# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)

#

#Listen 12.34.56.78:80
Listen vvv.xxx.yyy.zzz:7780
#

# Dynamic Shared Object (DSO) Support

#

...

clamd:

Attention: not tested yet, it is better to leave these settings untouched!

clamd binds to any IP address by default. Edit conf/clamd.conf.in and remove the # from the following line:

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: disabled

TCPAddr 127.0.0.1

Problems:

02-04-2007: Don't know if its really because of the settings above, but the simple Client refuses to work: (A network service error has occurred (zclient/io).

02-05-2007: All of this will be overwritten on upgrade, so save your changes, and when you do upgrade, re-apply them (but DO NOT simply replace the new configs with the old, since that will probably break your install).

Thats it:
Ok, thats it. It is a good idea to stop all services except of ldap before doing these modification. After a restart of zimbra all services either bind to localhost or to your specified IP. As you see, most of the config params can only be set AFTER installation!
I hope it helps somebody. Please post your questions/comments/...

I'll try to keep this thread up-to-date and extend it with the comments/tips others have written in this thread.
Greets

MrDigi
-----
*Ldap hints:

Host: your zimbra server

Port: 389

Version: 3

Base dn: zimbra

don't bind anonymous, but:

User DN: uid=zimbra, cn=admins, cn=zimbra

Password: your ldap password (you get it by executing: su - zimbra -c "/opt/zimbra/bin/zmlocalconfig -s |grep ldap_root_password"

dijichi2 · Post by **dijichi2** » Sun Feb 04, 2007 5:41 pm

Great job, MrDigi! This is invaluable for many situations. It would be great to get this added to the wiki and refined over time.
Thanks for your work.

jholder · Post by **jholder** » Sun Feb 04, 2007 5:44 pm

Good job!

marcmac · Post by **marcmac** » Mon Feb 05, 2007 10:16 am

All of this will be overwritten on upgrade, so save your changes, and when you do upgrade, re-apply them (but DO NOT simply replace the new configs with the old, since that will probably break your install).

ringnebula · Post by **ringnebula** » Tue Feb 06, 2007 1:26 am

[quote user="marcmac"]All of this will be overwritten on upgrade, so save your changes, and when you do upgrade, re-apply them (but DO NOT simply replace the new configs with the old, since that will probably break your install).[/QUOTE]
All the more reason that this should be an install/config option. I understand that Zimbra is intended to be a standalone installation, but that isn't always possible.
Oh and yes, I have voted for this in bugzilla

kibo · Post by **kibo** » Sun Feb 18, 2007 4:05 pm

Hello
One stupid question but somehow related! How can I force LDAP to listen on ALL the IPs instead of the one IP?
Regards

Kia

SpaceBass · Post by **SpaceBass** » Fri Mar 02, 2007 7:33 am

Great info!

I'm trying to setup the OS edition to co-exist with a few other services...the only conflict I see so far is port 80. Can I change just Tomcat and be fine?

For that matter, could I change the systems built in apache to listen on another IP and let Zimbra do its own thing?
Anyone running OS edition and Asterisk/FreePBX on the same box?

Costa-101 · Post by **Costa-101** » Sun Apr 01, 2007 10:38 am

Hi all,
Would it no be an easy thing to add a quick check upon installation (similar to that of the dns check) which allows an admin to choose which interface to bind the zimbra suite to?
thanks
Costa:D

phoenix · Post by **phoenix** » Sun Apr 01, 2007 11:06 am

[quote user="Costa-101"]Hi all,
Would it no be an easy thing to add a quick check upon installation (similar to that of the dns check) which allows an admin to choose which interface to bind the zimbra suite to?[/QUOTE]Search bugzilla and vote on any entry that relates to this.

Costa-101 · Post by **Costa-101** » Sun Apr 01, 2007 11:24 am

http://bugzilla.zimbra.com/show_bug.cgi?id=15751
If you feel this bug file is warranted please vote to show your support.
thanks
Costa:D