Zimbra

gsilver · #1 (**permalink**) 05-23-2007, 10:29 AM

my friend ran a security audit on my machine and was able to produce the following without any passwords:

Please note that the results below represent only the first 5 entries that could be extracted from the server.

RESULT:
ou: people
objectClass: organizationalRole
cn: people
zimbraMailTransport: lmtp:mail.MYDOMAIN.com:7025
zimbraMailDeliveryAddress: admin@mail.MYDOMAIN.com
sn: admin
zimbraId: e1BLAHc6-BLAH-BLAH-BLAH-3eaBLAH9b41
zimbraMailStatus: enabled
uid: admin
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
cn: admin
zimbraMailHost: mail.MYDOMAIN.com
mail: admin@mail.MYDOMAIN.com
mail: root@mail.MYDOMAIN.com
mail: postmaster@mail.MYDOMAIN.com
zimbraMailAlias: root@mail.MYDOMAIN.com
zimbraMailAlias: postmaster@mail.MYDOMAIN.com
zimbraMailForwardingAddress: MYUSERACCOUNT@MYDOMAIN.com
ou: people
objectClass: organizationalRole
cn: people
ou: people
objectClass: organizationalRole
cn: people

jholder · #2 (**permalink**) 05-23-2007, 10:42 AM

Nope.
We allow anonymous binding to the LDAP server for address book reasons.
Most LDAP servers allow this type of activity, including RedHat Directory Server and Apple Open Directory.

Cheers!
john

gsilver · #3 (**permalink**) 05-23-2007, 10:45 AM

so how do i prevent people from leeching email addresses for spaming?

jholder · #4 (**permalink**) 05-23-2007, 10:48 AM

Anonymous bind mechanism is enabled by default, but can be disabled by specifying "disallow bind_anon" in slapd.conf.in.

I'm not sure of the impact on your server.

As far as SPAM, I don't think it's realistic that you will get SPAM, as it hasn't been an issue for may e-mail providers including us.

jholder · #5 (**permalink**) 05-23-2007, 04:09 PM

Quote:

Originally Posted by jholder

Anonymous bind mechanism is enabled by default, but can be disabled by specifying "disallow bind_anon" in slapd.conf.in.

I'm not sure of the impact on your server.

As far as SPAM, I don't think it's realistic that you will get SPAM, as it hasn't been an issue for may e-mail providers including us.

I've just been informed by our engineering team that if you disable anonymous bind, you will break postfix's LDAP lookups.

There is a bug that we're trying to fix for 5.0 that will remove the need for anon bind: http://bugzilla.zimbra.com/show_bug.cgi?id=15378

john

jholder · #6 (**permalink**) 05-23-2007, 04:32 PM

A better solution would be to simply block access to port 389 either by external firewall, or iptables.

john

dljordaneku · #7 (**permalink**) 12-19-2007, 07:22 PM

Quote:

Originally Posted by jholder

A better solution would be to simply block access to port 389 either by external firewall, or iptables.

john

But would this block access from users in remote areas that are not connected to our LAN? I was wondering about this when I realized that I could read my ldap from my house.

dj

p24t · #8 (**permalink**) 12-20-2007, 05:52 AM

Only if you're trying to use a 3rd party client, and pull LDAP info for your address book. Zimbra's webclient should be able to look it up itself. (correct me if i'm wrong here)

Zimbra

Downloads

Product Information

Toolbox

Why Join?