Security and hacking

[Dirk]

I'm familiar with the concepts of firewalls and patching apps when vulnerabilities are found etc, but I couldnt call myself an expect in the subject, so, as zimbra is a package of lots of closely tied programs, I'm led to ask about it's security.

In my implimentation, I have a Zimbra server sat on the LAN, behind a 'Smoothwall' firewall. The firewall port forwards any traffic it sees on port 25 directly to Zimbra, that's the only open port that will allow traffic to hit the zimbra box. External access to users mail has not yet been turned on.

So, for someone to attack the Zimbra box, they would need to come in on port 25 and exploit something in the smtp handling side, or they would need to attack the smoothwall directly to get root and address the zimbra box in anyway they liked then. I've never heard of a smoothwall being compromised and I'm willing to class this possibility and 'impossible'

Which leaves me with just the one question, what risks of an open port 25 are there? Is it possible to gain any form of control of the server via this port? Is there anything I can do to monitor attempts at such actions?

I'm quite sure the answer to all this will be "Nope, it's quite secure and noone else has ever had a problem" but a little discussion will help when my managers see a news article and then come running at me screaming "Our data is at risk! Run for the hills!"

[robbyt]

I'm familiar with the concepts of firewalls and patching apps when vulnerabilities are found etc, but I couldnt call myself an expect in the subject, so, as zimbra is a package of lots of closely tied programs, I'm led to ask about it's security.

In my implimentation, I have a Zimbra server sat on the LAN, behind a 'Smoothwall' firewall. The firewall port forwards any traffic it sees on port 25 directly to Zimbra, that's the only open port that will allow traffic to hit the zimbra box. External access to users mail has not yet been turned on.

So, for someone to attack the Zimbra box, they would need to come in on port 25 and exploit something in the smtp handling side, or they would need to attack the smoothwall directly to get root and address the zimbra box in anyway they liked then. I've never heard of a smoothwall being compromised and I'm willing to class this possibility and 'impossible'

Which leaves me with just the one question, what risks of an open port 25 are there? Is it possible to gain any form of control of the server via this port? Is there anything I can do to monitor attempts at such actions?

I'm quite sure the answer to all this will be "Nope, it's quite secure and noone else has ever had a problem" but a little discussion will help when my managers see a news article and then come running at me screaming "Our data is at risk! Run for the hills!"

postfix (which zimbra uses to listens on p25) is one of the most secure MTAs ever written. who ever connects to this port _can_ gain control actually! but this is intentional that's how other people's mail servers tell your mail server to put messages in your users' inboxes...

but, rhetoric asside, I wouldn't worry about getting hacked by running postfix.

[Dirk]

So postfix is considered safe, which is good, but what about if I open access to the webmail? I've moved the port from 80 to 88, but if I allow all staff to access their mail from anywhere (which would be nice) then what risks does this add?

The webmail uses tomcat, which I've never seen before, I know of apache, and I know that's as secure as the build you are using, but tomcat is new to me. Has anyone ever been hacked from just running a zimbra server with ports 25 and 80 open to the world?

In the long run, I imagine I'll have to open the webmail port only for specific IP addresses, so UserX can access from home and UserY can access from another office etc, it will mean more admin work for us, but the management may feel safer.

This is not a pop at zimbra of course, I'm not trying to pick holes in it, it's just that if there's ever been a problem, then this seems like the place to ask.

[robbyt]

So postfix is considered safe, which is good, but what about if I open access to the webmail? I've moved the port from 80 to 88, but if I allow all staff to access their mail from anywhere (which would be nice) then what risks does this add?

The webmail uses tomcat, which I've never seen before, I know of apache, and I know that's as secure as the build you are using, but tomcat is new to me. Has anyone ever been hacked from just running a zimbra server with ports 25 and 80 open to the world?

In the long run, I imagine I'll have to open the webmail port only for specific IP addresses, so UserX can access from home and UserY can access from another office etc, it will mean more admin work for us, but the management may feel safer.

This is not a pop at zimbra of course, I'm not trying to pick holes in it, it's just that if there's ever been a problem, then this seems like the place to ask.

i can see that you're paranoid, which is good... but i think your paranoia is a bit misdirected...

I might be going out on a limb here, but Linux/Apache/Postfix is one the most secure mainstream Internet server platforms in use today. I bet you could put a fully patched RHEL4 server with zimbra on the Internet for years, without no firewall, and the system would be untouched (provided you use strong passwords)

if you want to secure your server, you should worry more about things like using https, and keeping a good corporate password policy.

Zimbra is not exchange. Perhaps it's arrogant to say, but tomcat getting hacked via exploit is not very probable. Someone might brute-force their way into an email account by guessing the user's password... but then all they have access to is that user's account information.

Even if tomcat DID get hacked via exploit- all that the person would have access to is the information in the /opt/zimbra directory on the server... since zimbra runs as the local "zimbra" user.

Once again, Zimbra is NOT Exchange. If Exchange gets hacked, it's lights out for the entire system.

[Dirk]

That's pretty much what I wanted to hear. Thank you.

As for paranoid, your damn right I am, but only in a good way! It's better to be curious and safe than comfortable and vulnerable, right?

anyway, thanks again.

[Dirk]

In a short while I'll be opening access to the zimbra server, via the firewall infront of it, to port 993 and 88. This will allow external access to the imap for staff to access mail on their mobile phones etc, and to the webmail client.

So, the paranoia starts up again (after all, if it goes rather badly wrong, I'm out of a job!) and I call upon the community for advice:

Is there any form of online penetration test that would be suitable to use? I've not enabled yet the linux firewall on the server, having looked it in the past and found it unintuative. Is it worth learning how it works and enabling it, or will the fact that only three ports (25,88 & 993) can reach the server anyway mean that a local firewall would be redundant?

Well, you get the point, comments advice and abuse welcome

[jholder]

Hi Dirk,

You doubt the security of Linux? nah, just kidding.

Any flaws/Security holes that occur will have to occur in one of zimbra's components.

Currently, there are no known issues.

I would (to be safe) restrict SSH. That seems to be where I get attacked the most, so I just cut off outside access.

I think your pretty safe, tho.

jh

[scottnelson]

For security, I look at two things mainly:

OS patches - up to date?
Mostly looking at kernel updates, and if you are running iptables, selinux, etc.
I test all patches out on a separate test box ( or VMware session ) just in case an OS Patch blows something up.

Application patches - up to date?
clamav up to date? Apache/tomcat on latest version?
Zimbra doesn't have latest versions of these when installed, at least for 3.1.4 ( currently running ). Had to compile and update both.

I also do not run anything else on my mail server except mail related stuff.
No personal/work webserver, DNS or anything else.
Even my squirrel mail ( light web client for Zimbra ) runs on a separate box. ( Well really in a VMware session but you get the idea. )

If you know you are not going to have anyone in foreign countries checking their e-mail, you can go the extra mile like me and not allow IMAP S-IMAP, http, https, etc., etc., access to the server via IP Networks based in other countries.

smtp ( tcp-25 ) I allow from everywhere and tweak via Zimbra spam tools.
Runs postfix so, less worried about that being whacked/compromised than the other stuff.

Also, make it a point to look at the logs at least daily for unusual stuff/entries.

Anyway, my .02 worth. YMMV, disclaimer disclaimer.... ;-)

Scotty

[scottnelson]

Agreed.

I don't allow any SSH from outside my Internal network either.
Good catch. ;-)

Scotty