I just setup a box to try out zimbra (4.5.6), and I must say I am impressed from a functional level. However when I dig into it a bit, I have a few security-related concerns.
While I can make most of these changes myself though a bit of hacking trial and error, I thought I would solicit some feedback from others to see if anyone has locked it down more, or even better bring these things to the attention of the developers so they can be fixed in the release itself.
1. Lots of binary/config files are owned/writable by the same user that the web server (and other services) run as. This is a poor security practice because if one of these services is exploited and a hacker is able to write to the filesystem, the binaries or config files can be easily overwritten by a hacked version. Since the zimbra install is done as root, these files should be owned by root and only readable (or executable in the case of binaries) by the zimbra user. Assuming that only the zimbra user needs access, these files could have ownership of root:zimbra and set to 640 (or 750 for binaries). That way any other user on the system that doesn't need to access these files can't. Although at least changing the owner from 'zimbra' to 'root' would yield the biggest benefit, even if the mode permissions weren't changed.
2. On a single-server installation there are several ports that are open to the world that don't need to be. From what I can tell many of the ports that zimbra opens up are used for internal communication between zimbra processes, and as such don't need to be open to the world. Although some of these may be necessary in a multi-server environment, surely in a single-server environment these services should be bound to localhost. Of course these ports can be firewalled off by a host-based firewall, but a good security practice is to lock down any services listening on the host irrespective of any firewall measures.
3. The default configuration of the spell checker server does not provide any authentication or encryption. Anyone in the world can connect to this port using insecure http and run the aspell php application. Although the functionality of this page is limited, it's not generally a good idea to have any application available to the world that doesn't need to be. While I would imagine that it wouldn't be too hard to use https instead of regular http, I don't know how much work it would be to only allow connections from authenticated users due to the design. Additionally I see that when I bring up http://hostname:7780 I get the default apache page. This is generally not a good idea since a common way to find web servers to hack is to search the web for certain text that exposes what type/version of webserver is running.
4. When SMTP authentication is disabled, the saslauthd services continue to run after zimbra is restarted. From what I can tell these services are not needed unless sasl auth is used, so they shouldn't need to run.
I am thinking about making a script to secure up zimbra after the install is complete, but I was hoping someone had already done some research and had some notes or a script.