pitter patter on the keyboard

I like to start my Xen networking by creating two (or more) bridges, one connected to the physical interface on the dom0 and another which is only connected to by virtual machines. This lets me set up an internal private network for cross-VM interaction and administration which is insulated from the DC’s network. If you put a router VM on both bridges which occupies your public IP addresses you can use 1-1 NAT to stack services from different VMs behind one IP and firewall the virtual machines. This is particularly handy where your address space is small but your VMs are many.

Unfortunately, the Debian interfaces configuration scheme doesn’t like setting up bridges with no bridge_ports directive so we have to give it a little boost. You will end up with a configuration file that looks something like this:

auto lo
iface lo inet loopback

iface eth0 inet manual

auto extbr0
iface extbr0 inet static
        bridge_ports eth0
        address x.x.x.x
        netmask 255.255.255.0
        network x.x.x.0
        broadcast x.x.x.255
        gateway x.x.x.1

auto intbr0
iface intbr0 inet manual
        pre-up    brctl addbr $IFACE
        post-down brctl delbr $IFACE
        up        ifconfig    $IFACE up y.y.y.y
        down      ifconfig    $IFACE down

Where y.y.y.y is an internal IP you can use to access the dom0. For example you might prefer not to expose SSH on your dom0 to the wild, you would make sshd listen on this IP and shell in over a VPN.

First check that port 80 is open on your server:

# iptables-save | grep 80
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 

Switch to the zimbra user:

# su - zimbra

Turn on redirection to SSL:

zmtlsctl redirect

Now restart mailboxd:

[zimbra@mail ~]$ zmmailboxdctl stop 
Stopping mailboxd...done.
[zimbra@mail ~]$ zmmailboxdctl start
Starting mailboxd...done.

Now when your users connect to port 80 they will automatically be redirected to https://your-host-name.com

More information on zmtlsctl is available at http://www.zimbra.com/docs/os/6.0.8/administration_guide/A_app-command-line.13.13.html

You may need to open the LDAP port on your Zimbra server:

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT

Determine your Zimbra LDAP password:

# su - zimbra
$ $ zmlocalconfig -s zimbra_ldap_password
zimbra_ldap_password = XXXXXXXXXXXX

Open the Barracuda Spam Firewall administration interface. Click the Domains tab. Click the Modify link next to the domain(s) you would like to enable bad recipient rejection for. Click on the LDAP Configuration sub-tab under the Users tab. Retain all defaults except:

• LDAP Server – Change this to the host name of your Zimbra server
• Bind DN (Username) – Change this to uid=zimbra,cn=admins,cn=zimbra
• Bind Password – Change this to your zimbra_ldap_password