Results 1 to 5 of 5

Thread: Zimbra Security

  1. #1
    Join Date
    Oct 2005
    Posts
    19
    Rep Power
    10

    Default Zimbra Security

    Zimbra Gurus,

    I've been trying to fine tune the security on my server and I notice opens _a lot_ of ports.. most of which are either used only by zimbra, or are redirected via iptables..

    Here is my list of ports opened by Zimbra..


    Port State Service
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop-3
    143/tcp open imap2
    389/tcp open ldap
    443/tcp open https
    993/tcp open imaps
    995/tcp open pop3s
    3310/tcp open unknown
    3784/tcp open unknown
    7025/tcp open unknown
    7070/tcp open realserver
    7071/tcp open unknown
    7075/tcp open unknown
    7110/tcp open unknown
    7143/tcp open unknown
    7389/tcp open unknown
    7443/tcp open unknown
    7993/tcp open unknown
    7995/tcp open unknown
    8009/tcp open ajp13

    My question is.. Can I bind everything that's not actually serving data to the internet to localhost? Does LDAP really need to be open to the world? At the very least, could I block access to these ports via iptables? Do the 70** addresses need to be available to the public, or does the iptables redirect act as a proxy?

    What ports does the web application connect to?

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Quote Originally Posted by mikea
    Port State Service
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop-3
    143/tcp open imap2
    389/tcp open ldap
    443/tcp open https
    993/tcp open imaps
    995/tcp open pop3s
    3310/tcp open unknown
    3784/tcp open unknown
    7025/tcp open unknown
    7070/tcp open realserver
    7071/tcp open unknown
    7075/tcp open unknown
    7110/tcp open unknown
    7143/tcp open unknown
    7389/tcp open unknown
    7443/tcp open unknown
    7993/tcp open unknown
    7995/tcp open unknown
    8009/tcp open ajp13

    My question is.. Can I bind everything that's not actually serving data to the internet to localhost? Does LDAP really need to be open to the world? At the very least, could I block access to these ports via iptables? Do the 70** addresses need to be available to the public, or does the iptables redirect act as a proxy?

    What ports does the web application connect to?
    You can restrict lots of ports to be local only if you have a single node install. Many things need to be open in a multi-node install. In those cases we expect you to have a firewall that will open only your SSL service port to the internet.

    In general all you need is to open 80/443 for the web then rest can be closed off unless you need IMAP/POP external.

  3. #3
    Join Date
    Sep 2005
    Posts
    95
    Rep Power
    10

    Default

    Can I make my Zimbra-MTA more secure by disallowing AnonymousBind? Some Netfilter/iptables rules will help but I love to disallow AnonymousBind by default. As far as I know, the only thing I must do is to reconfigure Postfx, set binddn and bindpassword in /opt/zimbra/conf/*ldap*, rite?

    -g

  4. #4
    Join Date
    Sep 2005
    Posts
    274
    Rep Power
    10

    Default care to elaborate?

    Quote Originally Posted by graffiti
    Can I make my Zimbra-MTA more secure by disallowing AnonymousBind? Some Netfilter/iptables rules will help but I love to disallow AnonymousBind by default. As far as I know, the only thing I must do is to reconfigure Postfx, set binddn and bindpassword in /opt/zimbra/conf/*ldap*, rite?
    In zimbra-mta package, postfix can see only public mail routing data - who is in a distribution list, what an alias points to, where does the mailbox live. Do you think even this data must require a bind? If so, go for it - you have to change ldap-*.cf; more importantly you have to modify slapd.conf to make sure that if you don't bind, you don't see anything.

    Out of the box, slapd.conf should restrict what you can see without binding. If you see more than you like let us know - it's either a bug or we overlooked something.

  5. #5
    Join Date
    Sep 2005
    Posts
    95
    Rep Power
    10

    Default

    I install phpldapadmin to the same machine where Zimbra-LDAP is installed and I can use it to see all Zimbra stuff in ldap anonymously.

    I didnt mean to say Postfix needs binding just because it can see ldap data. What I meant to say is in order to secure Zimbra, we need disallow AnonymousBind in slapd.conf and therefore, we must change Postfix configuration because currently Postfix uses anonymous binding.

    Another security concern is about chrooting zimbra. Can I chroot Postfix, MySQL, Tomcat, OpenLDAp, i.e, put each of them in their own jail? If that's not possible, can we chroot and set /opt/zimbra as their new root? I may hack myself but it would be great if Zimbra ships this feature by default.


    -g
    Last edited by graffiti; 10-22-2005 at 08:40 AM.

Similar Threads

  1. QUE Failure
    By tbullock in forum Administrators
    Replies: 31
    Last Post: 07-30-2008, 12:17 PM
  2. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 04:43 AM
  3. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 11:59 AM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 06:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •