SUSE Linux Enterpise Server 9 NAT HOWTO
WORK IN PROGRESS!!! UPLOADING SCREENSHOTS CURRENTLY....
Our preferred configuration for our servers exposed to the public Internet is to NAT them behind a firewall. Zimbra's default configuration does not expect a NAT'd server, so a few configuration changes are required for the Zimbra server to function correctly. While the forums describe what needs to be accomplished, I have found no detailed "HOWTO" for SUSE Linux Enterprise Server 9 ("SLES9" or "ES9"), and so I decided to write one.
As this is a first draft, I would be grateful for any improvements and/or corrections.
L. Mark Stone
3 November 2006
This HOWTO assumes you already know what an A record, a PTR record and an MX record are, and that you know how to configure them for your Zimbra server to be RFC compliant on the public DNS servers that are authoritative for your domain. In other words, configuring things so the world can find your Zimbra server is beyond the scope of this HOWTO. :-)
For a NAT'd Zimbra box to work correctly, Zimbra must be tricked into using DNS that reference private IP addresses for itself, even though public DNS records will point to public IP addresses.
To do this, we need to make changes in four places:
1. The /etc/hosts file 2. The /opt/zimbra/postfix/conf/main.cf file 3. The local installation of BIND on the ES9 Zimbra server 4. The order of DNS lookups
Here we will use the actual public and private IP addresses of our Zimbra server "viognier.reliablenetworks.com".
lmstone@shiraz:~$ host viognier.reliablenetworks.com viognier.reliablenetworks.com has address 220.127.116.11 lmstone@shiraz:~$ ping 172.16.1.23 PING 172.16.1.23 (172.16.1.23) 56(84) bytes of data. 64 bytes from 172.16.1.23: icmp_seq=1 ttl=64 time=49.9 ms 64 bytes from 172.16.1.23: icmp_seq=2 ttl=64 time=83.3 ms --- 172.16.1.23 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 49.918/66.613/83.308/16.695 ms lmstone@shiraz:~$
In our case, we installed Zimbra before making the following changes, so we had to tweak the installer to use "reliablenetworks.com" as the domain instead of "viognier.reliablenetworks.com", and we had to accept and click through the installer's error notification that it couldn't find our MX record. It would be nice if someone could test an ES9 install after making the changes below, and confirm here that the install proceeds without any errors.
Regardless, you'll still need to edit the main.cf file after the Zimbra installation is complete.