Results 1 to 6 of 6

Thread: what ports to open up?

  1. #1
    Join Date
    May 2008
    Posts
    10
    Rep Power
    7

    Default what ports to open up?

    So I just set up ZCS on a firewalled server and have migrated the accounts. I am now ready to start letting clients connect to the server and I want to know which ports I need to forward through my firewall.

    I have users who use Linux, Windows, and Mac OS X. I want them all to be able to send and receive email, use the web client, and have access to the global address list. I'd like to limit access to encrypted links only.

    So I was planning on opening up the following ports:

    25 -- SMTP, for receiving emails from users and inbound email to users
    389 -- LDAP, this is the global address list no?
    443 -- HTTPS, SSL encrypted web mail access
    993 -- IMAP, SSL encrypted IMAP access

    My mac users are going to use the iSync adapter and my windows users are using the outlook adapter. Are there any other ports I need to forward to support those adapters?

    Also, what kind of security is there on the LDAP server access? Is it password protected like IMAP and SMTP? Is it safe to expose the LDAP server?

    Thanks,
    Dave

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

  3. #3
    Join Date
    May 2008
    Posts
    10
    Rep Power
    7

    Default

    So if you can't open up 389 to the world how do your clients get global address list access? Do they have to use the iSync and Outlook connectors to synchronize their local contacts list with the one on the server?

    What about mobile devices and Linux? I want to be able to tell Evolution where my LDAP directory is. Isn't there a way to password protect it like IMAP and SMTP?

    Dave

  4. #4
    Join Date
    May 2008
    Posts
    10
    Rep Power
    7

    Default

    I should note that our Zimbra server is at a hosted location and is external to our company network.

  5. #5
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Ok, so currently you can connect securely, but you can still connect insecurely - hence the recommendation to prevent at the firewall.

    Say you want 389 open but not insecure communication:
    See what security level TLS connections make (usually it's 256 - depends on your key strength though) then add add security tls=256 to /opt/zimbra/conf/sldapd.conf.in
    security ssf=256 would be better to require all communications be 256 enc
    security ssf=256 simple_bind=256

    Open: Bug 20739 - make force-TLS for LDAP configurable (hook up the ldap_require_tls attribute)

    It was going to be 5.0.6, not finished so 5.0.7 that would contain the internal communication lock down: Bug 16601 - Secure Access To LDAP (ldap_starttls_supported and zimbra_require_interprocess_security)

    Still open: Bug 15378 - Obviate the need for and disallow LDAP anonymous binds

  6. #6
    Join Date
    May 2008
    Posts
    10
    Rep Power
    7

    Default

    So there is a way to make LDAP use TLS and require authentication? Is that what you mean by add security tls=256 to /opt/zimbra/conf/sldapd.conf?

Similar Threads

  1. Error message in Server status
    By Max Ma in forum Installation
    Replies: 20
    Last Post: 04-19-2007, 09:55 AM
  2. HTTPS problem
    By EnglishDude in forum Installation
    Replies: 5
    Last Post: 11-25-2006, 08:40 AM
  3. open port 7071
    By pgrayove in forum Users
    Replies: 5
    Last Post: 03-30-2006, 09:08 AM
  4. The mailbox and mta dies in FC4 GA version
    By meikka in forum Installation
    Replies: 72
    Last Post: 03-16-2006, 05:30 PM
  5. Move server to different OS
    By EriSan500 in forum Administrators
    Replies: 7
    Last Post: 03-05-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •