patrickwilson82 wrote:Good morning Mark,
While I'm waiting on Zimbra support to get back to me about the certs question, I was wondering if you could please answer two more questions for me that I had asked kranium since you've been following this thread:
"So basically if I point the end user's Outlook client to the public service hostname, will the proxy then know which of the two servers to check, to find that user's email?"
Also, will this method of syncing the ldap data between the two servers transfer over the any possible backdoors or vulnerabilities that my existing server may have due to compromise with it being on such an old patch?
Thanks again for your help.
Zimbra's proxy's job is to (among other things) abstract for the users the location of their mailbox. When a user browses to the PSHN:
1. Zimbra Proxy asks one of the mailbox servers in the proxy pool to paint the login screen.
2. After the user enters their username and password, the mailbox server that painted the login screen verifies the credentials via Zimbra's LDAP, and notes the mailbox server on which the user's mailbox lives. If the entered credentials are correct, the mailbox server tells Proxy on which mailbox server the user's mailbox lives.
3. Proxy says "Thanks Dude!" to the mailbox server, and then asks memcached to store the route information, i.e. the correct mailbox server, for this user's session (Proxy has short-term memory issues, so faster for Proxy ask memcached which mailbox server to talk to than to keep asking LDAP where the user's mailbox lives).
4. Proxy then talks to the mailbox server where the user's mailbox lives and says "Dude! I have an authenticated session for <
user@domain.tld>! Paint his mailbox for me please!" and Proxy then proxies the user's mailbox contents and static UI elements back to the user's browser, using the PSHN to present all relevant links to the end user.
The above flows are the same for Outlook, except for the UI components of course.
As re vulnerabilities in your LDAP data, unless you have configured zimbraMtaMyNetworks to include like 0.0.0.0/0, or users' passwords to be like "Password1234", there's not much in the LDAP data that presents a security risk. The security fixes in pretty much all of the recent patches to date have been in upgrading Zimbra components, and some configuration file adjustments.
In my experience, what you miss when using older LDAP data are the changes to the default settings had you done a fresh install. But, if you do things like execute the updates in the Cipher Suites wiki, and parse the Patch Release Notes for documentation on new configuration attributes (like IMAP pagination for heavy duty IMAP users, where the defaults for some reason haven't yet changed in the installer), you will be OK. Even brand-new installations include long-deprecated LDAP and Localconfig attributes, which if present, are typically just ignored (like LC ldap_bind_url). Unless you did some very creative things on the old Zimbra server, I wouldn't normally consider this a risk.
Hope that helps,
Mark