Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: [SOLVED] Serious security breach on all Zimbra servers?

  1. #1
    pcsupport is offline Active Member
    Join Date
    Apr 2008
    Posts
    48
    Rep Power
    7

    Angry [SOLVED] Serious security breach on all Zimbra servers?

    I access my GAL through Apples address book which does not require authentication.

    Just out of curiosity I trawled through the forums and entered the first mail domain that I came across into the LDAP directory of Apples address book and discovered that I had access to their GAL, their internal users, personal details and their email addresses.

    I have now deleted the various sites that I tested but I had access to them all.

    Me thinks this shouldn't be happening.

    Thoughts?

  2. #2
    Centurion's Avatar
    Centurion is offline Active Member
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default Firewall?

    Simply firewall the ports you don't want exposed to the Internet (or any other network for that matter). This is basic network security and shouldn't need to be explicitly spelled out in an administration forum...but there you have it

    Depending on your environment, the process for restricting access to certain services will vary greatly. On both my Zimbra installations for work, we use a DMZ and then restrict access depending on whether the traffic is from the LAN or Internet. Works perfectly and on the Internet the only exposed ports are required to use SSL/TLS and a valid user to do anything.

    Hope that helps.

    Cheers,

    James

  3. #3
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Yowsers. Now that's a title that will get our attention.

    This argument has been around for a while, and I can see *both* sides of the issue.

    Servers like OS X, Windows 2000, Novell actually have editions that allow anon bind. Does that make it right? Nope. The issue surrounds the availability of address book/contact data. How much do you restrict it? If it's a directory, some thoughts are that it should be open. Other thoughts are that it should be closed.

    Because of how Zimbra works, we currently need anon bind in order to gain access to ldap data. So let's be careful to understand that this doesn't mean that you need 389 open to the world. 389 should always be blocked at your firewall.

    What happens on the Zimbra side, is the request is made via soap to the server. The server then talks to itself over 389 and gets the data, and sends it back to the client.

    So the answer is, don't open 389 to the world. Doing such can result in harvesting data.

    You can track this at: Bug 15378 - Obviate the need for and disallow LDAP anonymous binds

    So the question is: Is it a security issue? Only if you have 389 open.

  4. #4
    webman's Avatar
    webman is offline Special Member
    Join Date
    Oct 2007
    Location
    North East England
    Posts
    167
    Rep Power
    7

    Default

    Perhaps this demonstrates the need to emphasize the bare essential ports that are required to be opened to the outside world in the installation documentation? Maybe even a section informing users of the implications if opening other ports?
    Craig Rodway » Flickr | Last.fm | Del.icio.us | Twitter

  5. #5
    pcsupport is offline Active Member
    Join Date
    Apr 2008
    Posts
    48
    Rep Power
    7

    Default

    389 is now closed on my box.

    Maybe forum users shouldn't be posting their mail server details or if they do then at least XXXX out the details.

    Anyone want to buy various company users details? Going cheap to a good home!

    Webman - good answer. how about a ruddy large message in the installation program warning them?

  6. #6
    Centurion's Avatar
    Centurion is offline Active Member
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default Good idea

    webman: This is a good idea. I've installed a number of "bundled" products with similar models to Zimbra. In many cases the installation and/or administration documentation has an entire section on firewall considerations and "hardening". Obviously it can't cover all possible scenarios and network configurations, but a simple "expose this" and "block that" with justifications would be very helpful tool to admins everywhere

    Cheers,

    James

  7. #7
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Quote Originally Posted by pcsupport View Post
    389 is now closed on my box.

    Maybe forum users shouldn't be posting their mail server details or if they do then at least XXXX out the details.

    Anyone want to buy various company users details? Going cheap to a good home!

    Webman - good answer. how about a ruddy large message in the installation program warning them?
    Sort of a valid point...but that's like saying that we should have to tell users to not have their passwords to Zimbra. Some things are not specific to Zimbra, such is the case with this. Anyone who opens 389 to the world shouldn't be in an admin position anyway.

    We have this: Ports - Zimbra :: Wiki

    With that said, the point that you all raise is still very valid. Although we mention which ports are needed, we don't (in the documentation) mention best practices. Please file a bug under the tech docs area...or feel free to start/edit a wiki page. Free shirt for who ever does this first (creates/edits the wiki page).

  8. #8
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    that's really disingenuous. In fact you tell users in the installation documentation to disable firewalls and selinux entirely. See for example Zimbra and SElinux Firewall Configuration - Zimbra :: Wiki and the latest official install guide, http://www.zimbra.com/docs/os/latest...stall/#1057019

  9. #9
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Quote Originally Posted by Rich Graves View Post
    that's really disingenuous. In fact you tell users in the installation documentation to disable firewalls and selinux entirely. See for example Zimbra and SElinux Firewall Configuration - Zimbra :: Wiki and the latest official install guide, http://www.zimbra.com/docs/os/latest...stall/#1057019
    Actually, to clarify, we tell users to disable during installation and to open the necessary ports after installation. During troubleshooting, we might recommend disabling a firewall. This is only is for the duration of the install.

    SELinux just plain isn't compatible.. But what's new. SELinux has it's fans, and it's detractors. I'm in the latter group with Theodore Tso who is one of the main linux kernel contributors:

    "SELINUX is so horrible to use, that after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux."

    Security, as it were, all comes down to administrator experience. We try to guide in the forums, but it's all in the admin's hands.

    Anyone who would blindly open their firewall because a software vendor said so should be questioning why. Same thing with SELinux. If we suggest disabling it, we (as the software vendor) owe you an explanation why.

    That's the way it works. Nothing replaces admin experience and common sense.
    Last edited by jholder; 05-15-2008 at 06:23 PM.

  10. #10
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    Anyone putting any type of machine out on the Internet has the resposibility to secure that machine. They also have the responsibility to educate themselves on such matters.

    Setting up a mail server or any server on the Internet is a HUGE responsibility. And iit is the Administrator's responsibility and not the responsibility of his software providers. Zimbra has NO responsibility to teach you security principles.

    I believe way too many people have servers on the Internet that aren't qualified to do so. This is the biggest reason the Internet has become such a dangerous place to be.

    ME THINKS!

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra spam system
    By rajahd in forum Administrators
    Replies: 9
    Last Post: 04-16-2008, 07:25 PM
  2. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM
  5. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •