Presentation of connector on our firewall?

[humpty]

I have Scalix running successfully on an internal server with a private hostname. This server is completely hidden from the internet hiding behind a VPN server. I present IMAPS,SMTP and SMTPS to the internet via our off-site web server which relays using VPN. All this works just fine.

Now we're looking at a full migration to Outlook using the connector and I need to present this service to the internet for off-site use. Can I relay the required services from our web server or is it easier to open ports to our main Scalix server? I'm particularly concerned about the hostnames as our Scalix server (linux.pricetrak.com) is not public. Since that won't resolve from the internet will the connector work?

I know this is probably RTFM but can someone point at the required chapter? Thanks

[Valerion]

You need to have the following:

• Forward port 5729 (non-SSL) or 5767 (SSL) to the server
• If you set up 5767 you also need to set up stunnel on the server (just search the forum)
• The hostname must be resolvable form the Internet, and point to an A record, CNAME records give issues
• There should also be a scalix-default-mail entry that is a CNAME to the server name

[humpty]

OK. I'm already running stunnel to present IMAPS and SMTPS successfully (with a real certificate) so 5767 is easy.

The webserver I'm presenting the SSL ports on is identified on the internet as mail.pibenchmark.com. Can I connect the Scalix connector to mail.pibenchmark.com and make it work or does the internal hostname name (linux.pricetrak.com) need to point to the webserver (I think it does for delegated mailboxes and shared calendars to work?)

Sorry I don't understand the 'scalix-default-mail' bit. What do I get my ISP to add to our dns records? I know only the basics of DNS records

thanks, I will understand eventually then I can help the next lost newbie

[Valerion]

You can probably just send the following to your ISP, I am sure they can configure it for you. I am going to assume your servername used internally is scalix.domain.com (always good to hide your real host names on public posts).

• Your firewall needs to NAT the port 5767 to your Scalix machine.
• There needs to be an A record for scalix.domain.com that points to the IP address of either your firewall or the IP of the Scalix server itself.
• There needs to be a CNAME record for scalix-default-mail that points to scalix.domain.com

If you were using BIND it would look like this:

Code: Select all

scalix          IN       A        xxx.xxx.xxxx.xxxx
scalix-default-mail           IN         CNAME        scalix

[billb3]

Have you considered using OpenVPN or another VPN product so you don't have to make these ports public?

[humpty]

We already do use openvpn - in fact that's the connection from our webserver to the true mail server in our office. We have had lots of problems with openvpn as an end user and failed connections which I'm trying to avoid. Also our VPN users get access to our fileshares and stuff which isn't acceptable for some mail users who are external consultants and only need mail.

I'm happy with using port 5767 through stunnel on the webserver, I'm already presenting IMAP that way for the rash of iPhones we've recently got. I'll play with this tonight and see if I can make it happen. E-mail is mostly transferred in the clear anyway so as long as the credentials are secure I'm good to go.

I think (and I hope) I was a bit mislead by the Scalix docs which mentioned quite a few ports which needed to be opened to make the connector work. One through stunnel is much better. The only shame is the DNS record, at some point I'll need to rename the Scalix store to our new domain.

[humpty]

It's even simpler than I was told. I didn't even need the DNS changes as the connector is smart enough to handle aliases. When I tried to open another person's mailbox the connector simply popped up and said it couldn't find the server (by internal name) and gave me the option of adding multiple aliases by name or IP. Shove in the name of the relay server as an alias and bob's your maiden aunt. The connector also worked out by itself that I was using SSL, albeit with a delay while I assume it was trying the normal port.