I've got a Zimbra Server sucessfully running on the internet as a mail and collaboration server for some kind of "distributed company". Zimbra really does that job great altogether. The only thing what is still bugging me is the public accessible LDAP directory, on which there exist already some threads.
As I don't need to have any users access the LDAP directory over the internet, I'd like to block LDAP access completely from the internet, so only the Zimbra server itself can still access the directory for use with the web client etc.
For this, I tried to set my iptables firewall up to allow only loopback and the servers own IP to contact the LDAP daemon. This seemed to work at first, but ended up with having a 16GB(!) logfile within 2 days because of a lot of java exception lines like this:
Caused by: javax.naming.CommunicationException: myhostname.de:389 [Root exception is java.net.ConnectException: Connection refused]
I suppose that I'm not the only one who ever tried to solve that security problem, so I'd like to ask you out there, what are your firewall rules, which let LDAP do its work and still prevent spammers from reading the directory out?
Thanks in advance,