Mac-Fan_

Q: Webmail auth from internet fails but from internal LAN ok - bug or feature ?

Hello Friends

 

I set up my Lion Server (10.7.1) as Mail-server, all works fine (IMAP, sending, receive Mails) except webmail.

The strange thing is that webmail is working fine if I connect from my intranet (internal LAN) to the server via: "http://<ip or DNS-Name>/webmail/"

 

BUT - If I try to connect from the internet via "http://www.blabla.com/webmail/" - I get the normal authentication page, but after typing in the credentials, and press the login button, I have to wait much longer, the wheel is spinning and the error message "could not connec to IMAP server" appears.

 

Questions:

- any tip ?

- How can I debug the communication between roundecube and IMAP server ?

- bug or feature ?

 

I don't think that roundecube distinguish between public and private IP addresses, but beside this, I have no answer to explain this behavior...

 

Setup:

Internet ---- FW ---- Intranet

 

- FW is doing NAT

- Mail-Server is on a DMZ

- Mail-Server has a static, private IP address

 

Many thanks for your inputs

Daniel

Posted on Sep 15, 2011 1:19 PM

Close

Q: Webmail auth from internet fails but from internal LAN ok - bug or feature ?

  • All replies
  • Helpful answers

  • by John Lockwood,

    John Lockwood John Lockwood Sep 16, 2011 3:33 AM in response to Mac-Fan_
    Level 6 (9,379 points)
    Servers Enterprise
    Sep 16, 2011 3:33 AM in response to Mac-Fan_

    Its worth checking your Firewall(s). You may have set them to allow IMAP traffic from your LAN, and from the WAN router but you may have not allowed the server itself. In your case the server might have three IP addresses, the loopback address, the DMZ address, and depending on whether you have also connected it directly to the LAN that address as well.

     

    It could also be a DNS issue, your LAN clients may be resolving the IMAP server address to the LAN address and this will work. Remote clients should also be resolving the IMAP server address to the DMZ address and this will also work. However your server itself might be looking at your internal DNS server and resolving the IMAP server to a LAN address and possibly the server is trying to send that request from the DMZ port and will not be able to reach its own LAN address. To resolve this DNS issue you should have the DMZ Ethernet port use a DNS server that resolves the IMAP server address to the DMZ address. In my case I used my ISP to provide external DNS resolutions, and used my own DNS server on the LAN interface of my mail server (also my VPN server) to resolve to internal LAN addresses.

  • by Mac-Fan_,

    Mac-Fan_ Mac-Fan_ Sep 16, 2011 5:13 AM in response to John Lockwood
    Level 1 (0 points)
    Sep 16, 2011 5:13 AM in response to John Lockwood

    Hello John

     

    Regarding Firewall:

    As all the users could access the Mail-Server via IMAP (from internal and from outside/internet) - the server is reachable via IMAP. I also get the required Authentication pages.

    As the WebMail Gateway is embedded within Lion, it could not be a Firewall issue.

     

    Regarding DNS:

    As I had written in my first post, the server is connected to the DMZ on the firewall with one single private IP address (with only one NIC).

    Beside that - the issue is not to connect to the server in general, but that the Web-Front-end could not talk with the IMAP server if the user is connected from Internet (I don't think that this is a network/DNS/Routing/Firewall problem - it looks rather as an internal SW issue from the Front-end side).

     

    For me, it seems like the server distinguish between public and private IP addresses and block the public IP somehow (but that is just a guess - I still try to find a way to debug this internal communication between the front-end and the IMAP server....)

     

    BTW - I'm not alone with this issue:

    https://discussions.apple.com/message/15681797#15681797

  • by jceaves,

    jceaves jceaves Sep 19, 2011 9:16 PM in response to Mac-Fan_
    Level 1 (0 points)
    Sep 19, 2011 9:16 PM in response to Mac-Fan_

    We have the same issue.  I should mention that we are using Lion behind a Cisco PIX firewall.  Our DNS server is running Windows Server 2003 64bit.  Previously, we had no webmail problems running Lion, although one user wiki did not copy over during the upgrade from Snow Leopard to Lion.

     

    Inability to access webmail only started recently after a restart following a routine update of Lion server.  I agree that it doesn't sound like a DNS issue since the users can login to the wiki from the internet.  SSL certificate is installed and valid.  DNS is on in Lion server and matches the DNS entries in Windows server.

     

    Since no one has a fix for this and Apple hasn't offered one, I am beginning to think this might be an OS glitch. 

  • by frank124,

    frank124 frank124 Nov 16, 2011 5:53 AM in response to Mac-Fan_
    Level 1 (0 points)
    Nov 16, 2011 5:53 AM in response to Mac-Fan_

    Have a look in

     

    /usr/share/webmail/config/appleoverrides.inc.php,

    should point to your local servername instead of $h

    the original  $h will be replaced by your external fqdn which is not enabled in mail.

     

    $rcmail_config['default_host'] = 'tls://macserver.examle.com';

  • by herrberg,

    herrberg herrberg Jan 8, 2012 2:25 PM in response to frank124
    Level 1 (0 points)
    Jan 8, 2012 2:25 PM in response to frank124

    I couldn't get that to work.

     

    I have a router that can NAT traffic, but port 443 I can not touch. I have configured outside traffic to go to 4430 instead and this I NAT to 443 on the internal network. I use a dyndns setup for the web address.. Works great for everything except webmail in the new OSX Lion server.

     

    https to webmail on 127.0.0.1 works great on my OSX server. https to webmail from any other server to the server's IP address works fine.

     

    Does anyone have a clue on how the appleoverrides.inc.php should look like?

     

    Let's say:

    URL to get to the OSX mail page: https://fisherman.dyndns.org:4430

    URL to get to the webmail page: https://fisherman.dyndns.org:4430/webmail/

    LAN IP for the server is 192.168.1.10

     

    I would be so grateful for a snippet on how to configure the appleoverrides.inc.php file. An example says more than a thousand words...

  • by pollardjw,

    pollardjw pollardjw Apr 11, 2012 1:05 PM in response to herrberg
    Level 1 (0 points)
    Apr 11, 2012 1:05 PM in response to herrberg

    I am having the exact same problem are thier any updates

     

    Thanks

  • by frank124,

    frank124 frank124 Apr 11, 2012 11:40 PM in response to pollardjw
    Level 1 (0 points)
    Apr 11, 2012 11:40 PM in response to pollardjw

    Hi,

    change /usr/share/webmail/config/appleoverrides.inc.php and replace the bold line with your external dns name,

    e.g. blabla.dyndns.org

     

    <?php

     

     

    $rcmail_config['include_host_config'] = true;

    $rcmail_config['default_host'] = 'tls://blabla.dyndns.org';

    $rcmail_config['smtp_server'] = '%h';

    $rcmail_config['smtp_user'] = '%u';

    $rcmail_config['smtp_pass'] = '%p';

  • by pollardjw,

    pollardjw pollardjw May 16, 2012 1:14 PM in response to frank124
    Level 1 (0 points)
    May 16, 2012 1:14 PM in response to frank124

    Hi Frank

     

    Thanks for your help but it did not work for me. It also stopped me logging in  on the local network as well until I reverted to the original setting