Results 1 to 5 of 5

Thread: Firewall?

Hybrid View

  1. #1
    Join Date
    Oct 2007
    Location
    San Jose
    Posts
    27
    Rep Power
    7

    Default Firewall?

    I've browsed threads relating to firewalls and I'm still not clear if there is consensus - Zimbra behind firewall or not? I know the install document indicates that it shouldn't be, but what is standard in production environments?

  2. #2
    Join Date
    Nov 2005
    Location
    London, ON
    Posts
    255
    Rep Power
    9

    Default

    In my opinion you should always firewall. I have firewalled everything with proper permissions it will still work properly.

    Your MTA should be in a DMZ because it is fairly public.

  3. #3
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Welcome to the forums,

    The ports you will need opened: Ports - Zimbra :: Wiki

    Cluster ports are also at the bottom of this doc: Firewall Configuration - Zimbra :: Wiki

  4. #4
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Pay special attention to the first sentence in the Wiki Mike referenced:
    You may choose not to allow remote connections to all of these.
    I would change that to "You SHOULD choose not to allow. . . " IMHO allowing admin access from outside (port 7071) is a bad idea. I'm not saying I expect Zimbra to be hacked but if it ever is, allowing that many open ports allows the bad guys to exploit (or at least probe) your server that much more easily.

    Being the paranoid sort that I am, I currently have Zimbra living on a DMZ and the only ports open from outside are 443 and 25. Traffic on these ports is forwarded to Zimbra's internal ip address by a DNAT/SNAT rule on my firewall. When I get around to setting up any external pop accounts I'll also open 995 for secure pop, but I don't anticipate ever opening any of the non-SSL ports (except 25, obviously), and certainly not admin, to anyone except by logging onto a VPN first. You may also want to open IMAP, but from the outside I would recommend only secure IMAP if you do, for the same reason. I would also set my box to not allow unencrypted logons by any of the various services.

    From the LAN, of course, you need admin, IMAP, etc. If your LAN is compromised you have a lot bigger problems than just your mail server!

  5. #5
    Join Date
    Oct 2007
    Location
    San Jose
    Posts
    27
    Rep Power
    7

    Default Thanks!

    Thanks, guys, that feedback is great and what I was previously thinking too.

Similar Threads

  1. LDAP auth working only when firewall stopped
    By brousky in forum Installation
    Replies: 1
    Last Post: 09-19-2006, 06:32 AM
  2. Replies: 2
    Last Post: 09-06-2006, 01:15 AM
  3. LDAP through Firewall
    By kevindods in forum Installation
    Replies: 3
    Last Post: 11-29-2005, 04:04 PM
  4. Firewall ports I have opened up
    By robroadie in forum Administrators
    Replies: 1
    Last Post: 11-10-2005, 07:42 AM
  5. Server behind firewall
    By VmarkV in forum Installation
    Replies: 3
    Last Post: 11-05-2005, 08:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •