[SOLVED] Serious security breach on all Zimbra servers?

[pcsupport]

I access my GAL through Apples address book which does not require authentication.

Just out of curiosity I trawled through the forums and entered the first mail domain that I came across into the LDAP directory of Apples address book and discovered that I had access to their GAL, their internal users, personal details and their email addresses.

I have now deleted the various sites that I tested but I had access to them all.

Me thinks this shouldn't be happening.

Thoughts?

[Centurion]

Simply firewall the ports you don't want exposed to the Internet (or any other network for that matter). This is basic network security and shouldn't need to be explicitly spelled out in an administration forum...but there you have it

Depending on your environment, the process for restricting access to certain services will vary greatly. On both my Zimbra installations for work, we use a DMZ and then restrict access depending on whether the traffic is from the LAN or Internet. Works perfectly and on the Internet the only exposed ports are required to use SSL/TLS and a valid user to do anything.

Hope that helps.

Cheers,

James

[jholder]

Yowsers. Now that's a title that will get our attention.

This argument has been around for a while, and I can see *both* sides of the issue.

Servers like OS X, Windows 2000, Novell actually have editions that allow anon bind. Does that make it right? Nope. The issue surrounds the availability of address book/contact data. How much do you restrict it? If it's a directory, some thoughts are that it should be open. Other thoughts are that it should be closed.

Because of how Zimbra works, we currently need anon bind in order to gain access to ldap data. So let's be careful to understand that this doesn't mean that you need 389 open to the world. 389 should always be blocked at your firewall.

What happens on the Zimbra side, is the request is made via soap to the server. The server then talks to itself over 389 and gets the data, and sends it back to the client.

So the answer is, don't open 389 to the world. Doing such can result in harvesting data.

You can track this at: Bug 15378 - Obviate the need for and disallow LDAP anonymous binds

So the question is: Is it a security issue? Only if you have 389 open.

[webman]

Perhaps this demonstrates the need to emphasize the bare essential ports that are required to be opened to the outside world in the installation documentation? Maybe even a section informing users of the implications if opening other ports?

[pcsupport]

389 is now closed on my box.

Maybe forum users shouldn't be posting their mail server details or if they do then at least XXXX out the details.

Anyone want to buy various company users details? Going cheap to a good home!

Webman - good answer. how about a ruddy large message in the installation program warning them?

[Centurion]

webman: This is a good idea. I've installed a number of "bundled" products with similar models to Zimbra. In many cases the installation and/or administration documentation has an entire section on firewall considerations and "hardening". Obviously it can't cover all possible scenarios and network configurations, but a simple "expose this" and "block that" with justifications would be very helpful tool to admins everywhere

Cheers,

James

[jholder]

Quote:

Originally Posted by pcsupport

389 is now closed on my box.

Maybe forum users shouldn't be posting their mail server details or if they do then at least XXXX out the details.

Anyone want to buy various company users details? Going cheap to a good home!

Webman - good answer. how about a ruddy large message in the installation program warning them?

Sort of a valid point...but that's like saying that we should have to tell users to not have their passwords to Zimbra. Some things are not specific to Zimbra, such is the case with this. Anyone who opens 389 to the world shouldn't be in an admin position anyway.

We have this: Ports - Zimbra :: Wiki

With that said, the point that you all raise is still very valid. Although we mention which ports are needed, we don't (in the documentation) mention best practices. Please file a bug under the tech docs area...or feel free to start/edit a wiki page. Free shirt for who ever does this first (creates/edits the wiki page).

[Rich Graves]

that's really disingenuous. In fact you tell users in the installation documentation to disable firewalls and selinux entirely. See for example Zimbra and SElinux Firewall Configuration - Zimbra :: Wiki and the latest official install guide, http://www.zimbra.com/docs/os/latest...stall/#1057019

[jholder]

Quote:

Originally Posted by Rich Graves

that's really disingenuous. In fact you tell users in the installation documentation to disable firewalls and selinux entirely. See for example Zimbra and SElinux Firewall Configuration - Zimbra :: Wiki and the latest official install guide, http://www.zimbra.com/docs/os/latest...stall/#1057019

Actually, to clarify, we tell users to disable during installation and to open the necessary ports after installation. During troubleshooting, we might recommend disabling a firewall. This is only is for the duration of the install.

SELinux just plain isn't compatible.. But what's new. SELinux has it's fans, and it's detractors. I'm in the latter group with Theodore Tso who is one of the main linux kernel contributors:

"SELINUX is so horrible to use, that after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux."

Security, as it were, all comes down to administrator experience. We try to guide in the forums, but it's all in the admin's hands.

Anyone who would blindly open their firewall because a software vendor said so should be questioning why. Same thing with SELinux. If we suggest disabling it, we (as the software vendor) owe you an explanation why.

That's the way it works. Nothing replaces admin experience and common sense.

[Bill Brock]

Anyone putting any type of machine out on the Internet has the resposibility to secure that machine. They also have the responsibility to educate themselves on such matters.

Setting up a mail server or any server on the Internet is a HUGE responsibility. And iit is the Administrator's responsibility and not the responsibility of his software providers. Zimbra has NO responsibility to teach you security principles.

I believe way too many people have servers on the Internet that aren't qualified to do so. This is the biggest reason the Internet has become such a dangerous place to be.

ME THINKS!