How do you use Zimbra with Cloudflare DNS?

[yohoho]

Hi,

What I've Done So Far:

Follow these instructions (https://blog.zimbra.com/2018/01/install ... 16-04-lts/) with minor differences

sudo nano /etc/network/interfaces

Code: Select all

auto ens18
iface ens18 inet static
        address 101.255.x.x
        netmask 255.255.x.x
        network 101.255.x.x
        broadcast 101.255.x.x
        gateway 101.255.x.x
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 173.245.x.x (ping dns from cloudflare)
        dns-nameservers 173.245.x.x (ping dns from cloudflare)

sudo nano /etc/hosts

Code: Select all

127.0.0.1       localhost
101.255.x.x   mail.x.com       mail

sudo nano /etc/hostname

Code: Select all

mail

sudo nano /etc/dnsmasq.conf

Code: Select all

server=8.8.8.8
listen-address=127.0.0.1
domain=x.com
mx-host=x.com,mail.x.com,0
address=/mail.x.com/101.255.x.x

DNS records

Type, name, value, ttl

Code: Select all

A, @ (written as x.com), 101.255.x.x (written as points to 101.255.x.x), automatic
MX, @ (writen as x.com), server mail.x.com priority 1 (written as mail handled by mail.mysarana.com)

I use ns1 dan ns2 using Cloudflare DNS.

I also use Cloudflare to redirect HTTP to HTTPS

Result

ping 101.255.x.x from different country (ok)
ping x.com (standard issueance, real ip hidden by Cloudflare)
web client 101.255.x.x / 101.255.x.x:7071 (do not respond)
web client x.com / mail.x.com / mail.x.com:7071 (do not respond, if it will be working I wish to remove the port)

Please help me.

[phoenix]

The glaring error in your output is that the hosts file is incorrect, take a look at the Split DNS wiki article for the correct format. When that's done, check your configuration again and yes, the blog to which you've posted a link does have it's hosts file incorrectly set,

[yohoho]

Turns out it worked.

I set my cloudflare dns to use HTTPS

Code: Select all

Always Use HTTPS (on)
Automatic HTTPS Rewrites (on)

5 minute after I turned off those two options, I am able to access through mail.x.com. However, I am unable to use HTTPS://mail.x.com to access zimbra. This create frustation because as I understand HTTP is not secure for communication.

I tried

Code: Select all

zmtlsctl https
zmcontrol restart

To no avail.

[phoenix]

Turns out it worked.

You should still fix your hosts file.

I am unable to use HTTPS://mail.x.com to access zimbra.

You're going to have to give a bit more detail than "I am unable to use HTTPS", what errors are you seeing? WHich ZCS Version? You should always post the output of the following command:

Code: Select all

zmcontrol -v

Which browser, is this access from outside your network, any errors in the logs, what have you tried to debug this?

[yohoho]

Turns out it worked.

You should still fix your hosts file.

I am unable to use HTTPS://mail.x.com to access zimbra.

You're going to have to give a bit more detail than "I am unable to use HTTPS", what errors are you seeing? WHich ZCS Version? You should always post the output of the following command:

Code: Select all

zmcontrol -v

Which browser, is this access from outside your network, any errors in the logs, what have you tried to debug this?

I use Google Chrome, always up-to-date, it simply did not connect (Cloudflare said Web server is down)
I access this from outside my network.

zmcontrol -v

Release 8.8.11.GA.3737.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.11_P3.

I changed 127.0.0.1 localhost.localdomain localhost, I do not understand why this will make a difference.

Code: Select all

root@mail:/home/zimbra8# cat /etc/hosts
127.0.0.1       localhost.localdomain   localhost
101.255.x.x (ifconfig shows this so I use it)   mail.x.com       mail

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root@mail:/home/zimbra8# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search x.com
root@mail:/home/zimbra8#

I also removed Cloudflare DNS record "A, x.com, 101.4.x.x"

But it says, this record is exposing your origin server's IP address, potentially exposing it to denial of service. Is it dangerous?

Current Cloudflare DNS record

Code: Select all

A, mail, 101.4.x.x
MX, mail, mail.x.com

I am unable to connect through HTTPS But, I do able to connect through HTTP. Edit: After reinstallation now I cannot access through HTTP or HTTPS either. Edit: I change the priority in dnsmasq to 0 and on the Cloudflare DNS record to 1 for MX. Now I can connect through HTTP but I can't connect through HTTPS

[phoenix]

Are all the services running on this server and do you have the proxy & memcached installed? Have you tried setting the ZCS server to HTTPS mode using zmtlsctl (see the wiki article on the subject)?

[yohoho]

Are all the services running on this server and do you have the proxy & memcached installed? Have you tried setting the ZCS server to HTTPS mode using zmtlsctl (see the wiki article on the subject)?

It worked now. Yes proxy & memcached installed. I do use zmtlsctl.

Summary,

Cloudflare DNS record

A
mail points to 101.255.x.x Automatic

MX
mail mail handled by 101.255.x.x Automatic

Everything else follow the blog (link provided above).