This material is copyright and is licensed for the sole use by Kliwon Klimis on 28th October 2008 425 cilce, , frood, grradt, 525254

Securing Zimbra

possible attackers, there is still a case for having users create a secure tunnel to the local network, before accessing their email.

There are many benefits and unfortunately downsides to requiring a virtual private network (VPN) connection for web email access. Obviously, a VPN creates a secure environment that allows for encrypting the email transmission, requires less open ports on the firewall, and keeps access to the web server to local traffic only.

The downsides include the fact that a user needs to go through several loops just to check their email from an outside location. This may be fine for telecommuters (who are probably using a VPN anyways to access other services on the network), but for sales people and "road warriors", this could be troublesome. One type of VPN I have used that offers the ability for users to check their email from any computer, while still requiring VPN access is what is referred to as an SSL VPN.

These SSL VPNs allow users to browse to a specific URL in their internet browser, does a quick scan of the host computer to make sure there are no known malware on the system, and asks for user authentication. Once authenticated, the user is presented with a link to check their email. Only the email is now tunnelled through the VPN and the rest of the host computer is not. This allows for less overhead on the host computer and on the VPN itself. It also creates an easy way for users to check email on the road, while protecting your network from unwanted visitors

and malware.

If a VPN solution is not an option for all of your users to access the Zimbra web client, I would recommend that at least the admin console (https://zimbra. emailcs.com:7071) is accessible only through a VPN. That way port 7071 could be closed and that is the one area of Zimbra you do not want unwanted visitors.

Summary

This chapter discussed the importance and methods that could be used to secure your Zimbra environment. We began by looking at Zimbra's built-in security tools including: web client security, anti-spam, and anti-virus. We then looked at securing the operating system or host that Zimbra is running on with a focus on securing ports, disabling unnecessary services, and being sure to keep the system patched and updated on a regular basis. Lastly, we looked at securing the network with a discussion on creating a demilitarized zone (DMZ), configuring firewalls, and the use of Virtual Private Networks (VPN).

In the next chapter, we will look at adding some finishing touches to our Zimbra implementation by enhancing the user experience through customizing user settings and branding Zimbra to match your corporate look and feel.

[ 130 ]