Results 1 to 7 of 7

Thread: Security of Zimbra

  1. #1
    KarstenI is offline Junior Member
    Join Date
    Nov 2013
    Posts
    5
    Rep Power
    1

    Question Security of Zimbra

    Hi all,

    I'm a little bit concerned about the security of Zimbra and hope to get some input if I'm completely wrong here or if there are additional steps to secure Zimbra.

    My initial plan was to have the MTA/proxy in one DMZ and the mailbox-server in the internal network. That install went horribly wrong as the appliance-installer (was 8.0.3) was always starting over again and again …

    At the moment I'm running a single-server test-install with the 8.0.4 appliance but if I keep Zimbra, I for sure want to go to the split-model again (if the NE supports that also).
    The first security-disapointment was the setting of the initial password where only alphanumerics and hyphens were allowed. So it was not possible to use a really strong password.

    The next disappointment came when running Quays SSL-scanner agains the server. While all my other server got a grade of "A", this install only got a "C" mainly because of the failed Key-Exchange (Certificate 100, Protocol-Support 90, Key-Exchange 40 and Cipher Strength 60).

    After reading the release-notes I wondered how this could happen. The appliance runs on Ubuntu LTS, and the release notes state that Ubuntu 10.04 is depreciated so I assumed that Zimbra is based on LTS 12.04. But after looking at the base system I saw that's still 10.04. Now the 8.0.4 release is already quite old and my other Ubuntu-boxes got a couple of security updates which my Zimbra server didn't got. So I assume that my server is sitting with missing security fixes in the internet (of course behind a firewall with only the needed Ports (IMAPS, POP3S, SMTP, Submission) opened).

    That leads me to some questions:

    1) Is Zimbra really a security nightmare as I think at the moment?
    2) Am I right, that the OS of the appliance is meant to be pached by Zimbra-updates and not to be patched manually with aptitude and so on?
    3) Is it allowed to tune the internal config for example for the Apache server?
    4) Or is the usage of the appliance not the way to go if you want to have a secure system?
    5) If point 4 tells me that the normal install is the way to go, are all the base-components updated by the operating-system or do I also have to wait until Zimbra releases fixed versions of the software that makes Zimbra running as a server?

    You see, I'm nearly completely lost and I hope that someone can give some hints or best practices on how to setup a secure Zimbra system.


    Thanks in advance, Karsten

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by KarstenI View Post
    That leads me to some questions:

    1) Is Zimbra really a security nightmare as I think at the moment?
    No.

    Quote Originally Posted by KarstenI View Post
    2) Am I right, that the OS of the appliance is meant to be pached by Zimbra-updates and not to be patched manually with aptitude and so on?
    Updates are not provided by Zimbra, you use the package manager to get software updates to the O/S.

    Quote Originally Posted by KarstenI View Post
    3) Is it allowed to tune the internal config for example for the Apache server?
    Not a good idea.

    Quote Originally Posted by KarstenI View Post
    4) Or is the usage of the appliance not the way to go if you want to have a secure system?
    It's perfectly secure, as far as I'm aware.

    Quote Originally Posted by KarstenI View Post
    5) If point 4 tells me that the normal install is the way to go, are all the base-components updated by the operating-system or do I also have to wait until Zimbra releases fixed versions of the software that makes Zimbra running as a server?
    Zimbra releases all the updates for it's own software and that's currently as a complete package. If you want the latest greatest operating system then you install your own preferred choice (and that wouldn't be Ubuntu for me ) and the mos recent version of ZCS.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    KarstenI is offline Junior Member
    Join Date
    Nov 2013
    Posts
    5
    Rep Power
    1

    Default

    Updates are not provided by Zimbra, you use the package manager to get software updates to the O/S.
    So Zimbra behaves differently then other appliances here where the whole system is managed by the vendor? But if I have to take care about the OS myself, what is the benefit of the Zimbra-appliance if I have the same update model as in a "normal" install (OS and application)?
    But ok, "aptitude" tells me that there are 69 updates for my 8.0.4 appliance available. I just wonder what will happen when the appliance-version 8.0.5 will be released. I think that it's likely that some components will be older there then the ones in the official Ubuntu repository. I'm a little bit afraid that the zimbra-updater can handle that correctly.

    Not a good idea.
    Yes, I thought so. But that means also for example that I have to accept that Zimbra also uses weak ciphers that I normally could disable on a traditional web server?

    It's perfectly secure, as far as I'm aware.
    At least for me it's quite obvious that perfectly secure is different … Still it could be "secure enough" what I try to find out.

  4. #4
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,265
    Rep Power
    10

    Default

    Don't use the appliance.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    KarstenI is offline Junior Member
    Join Date
    Nov 2013
    Posts
    5
    Rep Power
    1

    Default

    Quote Originally Posted by quanah View Post
    Don't use the appliance.
    Is that a general advice that it's better to use the "traditional" install, or is it just for the security-minded admins?

  6. #6
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,265
    Rep Power
    10

    Default

    Quote Originally Posted by KarstenI View Post
    Is that a general advice that it's better to use the "traditional" install, or is it just for the security-minded admins?
    General advice.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    KarstenI is offline Junior Member
    Join Date
    Nov 2013
    Posts
    5
    Rep Power
    1

    Default

    Quote Originally Posted by quanah View Post
    General advice.
    Oh, a little bit strange that the appliance is available then. But ok, I'll install the "normal" server and continue with my tests.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Security of Zimbra server?
    By brittocj in forum Administrators
    Replies: 1
    Last Post: 07-06-2012, 03:29 AM
  2. [SOLVED] security security security
    By Bart Hostens in forum Administrators
    Replies: 8
    Last Post: 12-15-2009, 01:30 AM
  3. zimbra desktop security
    By menonumesh in forum Administrators
    Replies: 1
    Last Post: 05-01-2007, 03:05 AM
  4. Security Bug in Zimbra?
    By generic31 in forum Administrators
    Replies: 19
    Last Post: 02-05-2007, 09:46 PM
  5. Zimbra Security
    By mikea in forum Administrators
    Replies: 4
    Last Post: 10-22-2005, 08:29 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •