Hello, all. We've just installed our first two Zimbra servers. We normally do a destructive and exhaustive vulnerability scan using openvas and place systems under HIDS with OSSEC before we put them into production. I was a bit surprised that openvas turned up a few worrisome bits. I see others have scanned with Nessus but I did not see these errors. Before we spend lots of time exploring if these are false positives (we are not really security experts), we thought we'd ask the list of they were familiar with these issues.

We show a security hole in postfix enabling a smad attack (DoS). Thankfully, we don't expose port 587 to the Internet but we are a multi-tenant site and could be attacked from the inside.

We also picked up a few warnings for cross site scripting. Most seem for for specific products which are not in Zimbra so I assume those are false positives but one seemed serious:

"The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust
level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Sample url : http://zimbra.mycompany.com:80/foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp"

Has anyone else seen and investigated these? Are they anything to worry about? Thanks - John