0

I am running a Zimbra ZCS 7.1.2 server. The server is setup to host multiple domains, 3 at the moment. But I have a problem and I think I am over thinking the solution.

The problem is I want every domain to have its own SSL cert. As per Zimbra documentation I have to configure the Zimbra proxy to handle connections to each of the domains. Each domain has a virtual domain name and a virtual IP address.

The command mentioned is zmprov md [domain name] +ZimbraVirtualHostName {hostname} +ZimbraVirtualIPAddress {1.2.3.4}

As far as I am aware I need a sperate IP address for each domain. So I have 10.0.0.17 thru 10.0.0.20. assingned to virtual interfaces on my Zimbra server.

SMTP\S is handled by 10.0.0.17 and is NAT'd to public IP. But for the items that are proxied like webmail, IMAP and POP3 do I need seperate public IPs for each internal IP or is there a way consolidate things to one public IP, I only have 3 available out of a pool of 5.

I can elaborate more if needed.

ianc1215
  • 1,965
  • 7
  • 34
  • 55

2 Answers2

2

Each service uses a separate port, SMTP typically is on port 25, webmail (HTTP) is 80 or 443 for SSL, IMAP 443, etc.

So it's prefectly acceptable to use just the 3 ip addresses, essentially assigning 1 ip address per domain. Domain A (all services) on 10.0.0.17, Domain B (all services) on 10.0.0.18, etc.

The only time you would need to worry is if you need to have the same service, with different parameters (be-it ssl cert, or some other configuration) on the same IP. You cannot have two SMTP servers listening to the same port/ip combination.

Coding Gorilla
  • 1,938
  • 12
  • 10
  • Ok if I have 3 LAN IPs is there a way to consolidate them to one public IP without a lot of voodoo? I know that what NAT is for but is that the best way? – ianc1215 Sep 22 '11 at 19:44
  • 1
    Nope, with HTTP you _could_ do this with the use of host headers (assuming you have a FW that will support this), but with the rest of the protocols there's no real way for the firewal to figure out which IP it should route the connection to unless it's based on seperate external IP addresses. – Coding Gorilla Sep 22 '11 at 19:47
  • You can configure a single service/port rule that allows a particular port/service to all 3 internal ip addresses (allow IMAP to 2.2.2.1, 2.2.2.2, and 2.2.2.3) but you'll need a spearate NAT rule for each internal ip (NAT 1.1.1.1 to 2.2.2.1, NAT 1.1.1.2 to 2.2.2.2, etc). – joeqwerty Sep 22 '11 at 19:50
  • 1
    I just realized that I'm repeating everything Coding Gorilla is stating. Sorry. – joeqwerty Sep 22 '11 at 19:51
  • You could, in theory, do a lot of "voodoo" with ports and stuff, but I wouldn't advise it. If you got it all working and ever left the place, the incoming net admin will want to hunt you down and do bad things to you. =P – Coding Gorilla Sep 22 '11 at 19:53
  • @CodingGorilla, I am the net admin. Or do you mean my ISP? – ianc1215 Sep 22 '11 at 20:02
  • @Solignis No I meant if you quit and were replaced by someone else. – Coding Gorilla Sep 22 '11 at 20:07
  • @CodingGorilla Ah, I see. – ianc1215 Sep 23 '11 at 04:08
0

You'll need to do this based on firewall service rules (port rules) and firewall NAT rules. As Coding Gorilla stated in his answer, each of the services you've listed run on different ports, but you'll need to NAT each domain's services independently (from every other domain) from a specific public ip address to a specific private ip address.

What I mean is this:

Domain 1: 1.1.1.1--->2.2.2.1--->IMAP

Domain 1: 1.1.1.1--->2.2.2.1--->POP

Domain 1: 1.1.1.1--->2.2.2.1--->SMTP

Domain 1: 1.1.1.1--->2.2.2.1--->HTTP

Domain 2: 1.1.1.2--->2.2.2.2--->IMAP

Domain 2: 1.1.1.2--->2.2.2.2--->POP

Domain 2: 1.1.1.2--->2.2.2.2--->SMTP

Domain 2: 1.1.1.2--->2.2.2.2--->HTTP

Domain 3: 1.1.1.3--->2.2.2.3--->IMAP

Domain 3: 1.1.1.3--->2.2.2.3--->POP

Domain 3: 1.1.1.3--->2.2.2.3--->SMTP

Domain 3: 1.1.1.3--->2.2.2.3--->HTTP

joeqwerty
  • 108,377
  • 6
  • 80
  • 171