Hi all,

I'm a little bit concerned about the security of Zimbra and hope to get some input if I'm completely wrong here or if there are additional steps to secure Zimbra.

My initial plan was to have the MTA/proxy in one DMZ and the mailbox-server in the internal network. That install went horribly wrong as the appliance-installer (was 8.0.3) was always starting over again and again …

At the moment I'm running a single-server test-install with the 8.0.4 appliance but if I keep Zimbra, I for sure want to go to the split-model again (if the NE supports that also).
The first security-disapointment was the setting of the initial password where only alphanumerics and hyphens were allowed. So it was not possible to use a really strong password.

The next disappointment came when running Quays SSL-scanner agains the server. While all my other server got a grade of "A", this install only got a "C" mainly because of the failed Key-Exchange (Certificate 100, Protocol-Support 90, Key-Exchange 40 and Cipher Strength 60).

After reading the release-notes I wondered how this could happen. The appliance runs on Ubuntu LTS, and the release notes state that Ubuntu 10.04 is depreciated so I assumed that Zimbra is based on LTS 12.04. But after looking at the base system I saw that's still 10.04. Now the 8.0.4 release is already quite old and my other Ubuntu-boxes got a couple of security updates which my Zimbra server didn't got. So I assume that my server is sitting with missing security fixes in the internet (of course behind a firewall with only the needed Ports (IMAPS, POP3S, SMTP, Submission) opened).

That leads me to some questions:

1) Is Zimbra really a security nightmare as I think at the moment?
2) Am I right, that the OS of the appliance is meant to be pached by Zimbra-updates and not to be patched manually with aptitude and so on?
3) Is it allowed to tune the internal config for example for the Apache server?
4) Or is the usage of the appliance not the way to go if you want to have a secure system?
5) If point 4 tells me that the normal install is the way to go, are all the base-components updated by the operating-system or do I also have to wait until Zimbra releases fixed versions of the software that makes Zimbra running as a server?

You see, I'm nearly completely lost and I hope that someone can give some hints or best practices on how to setup a secure Zimbra system.

Thanks in advance, Karsten