This material is copyright and is licensed for the sole use by Kliwon Klimis on 28th October 2008 425 cilce, , frood, grradt, 525254

Securing Zimbra

Host-Based Firewall

When we first prepared the operating system for our initial Zimbra install (in Chapter 2), we looked at opening ports in our system, or host-based, firewall. During the initial install, the firewall was disabled. After Zimbra was successfully installed, we did an initial lockdown of our system by enabling the firewall and opening up all ports that were particular to Zimbra.

It is imperative to keep in mind one simple fact about ports, only open up ports that are necessary for your server to function. Any other ports should be blocked on the host. That being said, let's review the ports we opened up for Zimbra, and decide if there are a few we should go ahead and close. The list below is the same one from Chapter 2 listing the ports.

•https:tcp

•3930:tcp

•pop3:tcp

•imap:tcp

•imaps:tcp

•ldap:tcp

•pop3s:tcp

•7025:tcp

•5800:tcp

•5900:tcp

•7071:tcp

•3895:tcp

•3894:tcp

•ssh:tcp

Based on the Classes of Service (COS) that we have created this far and the features we have enabled, it is apparent the following ports are not needed or being used.

1.We disabled access to POP email. Therefore, we could remove the pop3:tcp and pop3s:tcp from our list of open ports.

2.We also are not allowing imap access to our server at this time. So we may go ahead and disable imap:tcp and imaps:tcp.

One other thing to consider is, will you be allowing access to the admin console over the public internet, or will it require local or VPN access. I would recommend not allowing access to the console, unless the request is coming from the local LAN (or VPN of course), that being said we could also disable 7071:tcp.

[ 126 ]

This material is copyright and is licensed for the sole use by Kliwon Klimis on 28th October 2008 425 cilce, , frood, grradt, 525254

Chapter 5

The rest of the ports we should keep active for our Zimbra server to work correctly.

Once all of the changes have been made, it would be a good idea to restart the firewall and Zimbra services to make sure all is functioning as it should.

Services

The same rule of the thumb for ports applies to services. If a service is running on your server that is not necessary, disable it. In the case above, we had already

determined we are not allowing POP3 and IMAP. Those we have not disabled, but using them is not allowed in the definitions of our COS.

To determine which services Zimbra will start automatically, we need to open up the admin console and click on Servers in the Navigation Pane; then select your server and click on the Services tab. As shown in the following screenshot, any service with a check mark next to it will start up with Zimbra.

Besides Zimbra services, operating systems have a tendency to install services by default. These services may include sendmail, DNS, mySQL or other database, Apache, Squid, Webmin, whatever the case may be. If you are not using a service, disable it.

Updates and Patching

Running software updates and patches is critical for any server, and workstation for that matter, in your environment. Patches are used to fix vulnerabilities and bugs in software programs, and in the operating system itself. By not patching, you are leaving your server open to unnecessary risk.

[ 127 ]