A warm welcome at the new #bytemine-office for a #Zarafa meeting: http://t.co/8WJA3Cx4MO
This blog post is a part of a blog post series about tips and tweaks for a Zarafa server. These tips should make the life of any Zarafa installation just a little bit more secure and stable.
An often asked question at support is “Does my ZCP server allow me to run WebApp on a separate (virtualized or not) webserver?” In my opinion, this is actually a smart question. I will explain why and how you could move WebApp to a separate server.
(A 5 minute read).
Why should I think about running WebApp on a separate webserver?
An email server needs to be stable and secure. That’s a no-brainer for you and me: it does happen unfortunately too often that your infrastructure is assaulted by third parties. I will give two examples of cases that I’ve seen happening at customers:
How could a separate webserver for WebApp help me?
Let’s go back to the scenarios explained above. In the first scenario, traditionally you would want to have your externally reachable webserver in a separate (strictly locked-down) DMZ-Zone. This ensures that – in case someone successfully hacks your server – he will only get access to the webserver and not to the whole Zarafa server environment. Of course he could then potentially access the internal port to the internal servers but those are traditionally locked down well by us (port 236/237).
In scenario two, someone is repeatedly DOS’ing you which puts your Zarafa environment in danger. Again, when you run WebApp on a separate server, only THAT server will be impacted. Your Zarafa environment will remain to work while you work on the solution.
Ok, I am convinced. What to do next?
That’s great to hear. Now I need to put my money where my mouth is:
Modify the /etc/zarafa/webapp/config.php file. For example:
This config line will let the Zarafa server connect unencrypted at 192.168.1.2.
And you’re done! Didn’t hurt that much, right? I would like to point out one last thing though: please remember that security is a mindset. Following these tips is not enough. But you did make your groupware environment just a little bit more secure and that is always a smart thing to do if you would ask me.