Zimbra Security

[mikea]

Zimbra Gurus,

I've been trying to fine tune the security on my server and I notice opens _a lot_ of ports.. most of which are either used only by zimbra, or are redirected via iptables..

Here is my list of ports opened by Zimbra..


Port State Service
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
143/tcp open imap2
389/tcp open ldap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3310/tcp open unknown
3784/tcp open unknown
7025/tcp open unknown
7070/tcp open realserver
7071/tcp open unknown
7075/tcp open unknown
7110/tcp open unknown
7143/tcp open unknown
7389/tcp open unknown
7443/tcp open unknown
7993/tcp open unknown
7995/tcp open unknown
8009/tcp open ajp13

My question is.. Can I bind everything that's not actually serving data to the internet to localhost? Does LDAP really need to be open to the world? At the very least, could I block access to these ports via iptables? Do the 70** addresses need to be available to the public, or does the iptables redirect act as a proxy?

What ports does the web application connect to?

[KevinH]

Quote:

Originally Posted by mikea

Port State Service
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
143/tcp open imap2
389/tcp open ldap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3310/tcp open unknown
3784/tcp open unknown
7025/tcp open unknown
7070/tcp open realserver
7071/tcp open unknown
7075/tcp open unknown
7110/tcp open unknown
7143/tcp open unknown
7389/tcp open unknown
7443/tcp open unknown
7993/tcp open unknown
7995/tcp open unknown
8009/tcp open ajp13

My question is.. Can I bind everything that's not actually serving data to the internet to localhost? Does LDAP really need to be open to the world? At the very least, could I block access to these ports via iptables? Do the 70** addresses need to be available to the public, or does the iptables redirect act as a proxy?

What ports does the web application connect to?

You can restrict lots of ports to be local only if you have a single node install. Many things need to be open in a multi-node install. In those cases we expect you to have a firewall that will open only your SSL service port to the internet.

In general all you need is to open 80/443 for the web then rest can be closed off unless you need IMAP/POP external.

[graffiti]

Can I make my Zimbra-MTA more secure by disallowing AnonymousBind? Some Netfilter/iptables rules will help but I love to disallow AnonymousBind by default. As far as I know, the only thing I must do is to reconfigure Postfx, set binddn and bindpassword in /opt/zimbra/conf/*ldap*, rite?

-g

[anand]

Quote:

Originally Posted by graffiti

Can I make my Zimbra-MTA more secure by disallowing AnonymousBind? Some Netfilter/iptables rules will help but I love to disallow AnonymousBind by default. As far as I know, the only thing I must do is to reconfigure Postfx, set binddn and bindpassword in /opt/zimbra/conf/*ldap*, rite?

In zimbra-mta package, postfix can see only public mail routing data - who is in a distribution list, what an alias points to, where does the mailbox live. Do you think even this data must require a bind? If so, go for it - you have to change ldap-*.cf; more importantly you have to modify slapd.conf to make sure that if you don't bind, you don't see anything.

Out of the box, slapd.conf should restrict what you can see without binding. If you see more than you like let us know - it's either a bug or we overlooked something.

[graffiti]

I install phpldapadmin to the same machine where Zimbra-LDAP is installed and I can use it to see all Zimbra stuff in ldap anonymously.

I didnt mean to say Postfix needs binding just because it can see ldap data. What I meant to say is in order to secure Zimbra, we need disallow AnonymousBind in slapd.conf and therefore, we must change Postfix configuration because currently Postfix uses anonymous binding.

Another security concern is about chrooting zimbra. Can I chroot Postfix, MySQL, Tomcat, OpenLDAp, i.e, put each of them in their own jail? If that's not possible, can we chroot and set /opt/zimbra as their new root? I may hack myself but it would be great if Zimbra ships this feature by default.


-g