Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Installation
Reload this Page what ports to open up?

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-05-2008, 03:50 PM
Member
  
Posts: 10
Default what ports to open up?
So I just set up ZCS on a firewalled server and have migrated the accounts. I am now ready to start letting clients connect to the server and I want to know which ports I need to forward through my firewall.

I have users who use Linux, Windows, and Mac OS X. I want them all to be able to send and receive email, use the web client, and have access to the global address list. I'd like to limit access to encrypted links only.

So I was planning on opening up the following ports:

25 -- SMTP, for receiving emails from users and inbound email to users
389 -- LDAP, this is the global address list no?
443 -- HTTPS, SSL encrypted web mail access
993 -- IMAP, SSL encrypted IMAP access

My mac users are going to use the iSync adapter and my windows users are using the outlook adapter. Are there any other ports I need to forward to support those adapters?

Also, what kind of security is there on the LDAP server access? Is it password protected like IMAP and SMTP? Is it safe to expose the LDAP server?

Thanks,
Dave
Reply With Quote
  #3 (permalink)  
Old 06-05-2008, 03:59 PM
Member
  
Posts: 10
Default
So if you can't open up 389 to the world how do your clients get global address list access? Do they have to use the iSync and Outlook connectors to synchronize their local contacts list with the one on the server?

What about mobile devices and Linux? I want to be able to tell Evolution where my LDAP directory is. Isn't there a way to password protect it like IMAP and SMTP?

Dave
Reply With Quote
  #4 (permalink)  
Old 06-05-2008, 03:59 PM
Member
  
Posts: 10
Default
I should note that our Zimbra server is at a hosted location and is external to our company network.
Reply With Quote
  #5 (permalink)  
Old 06-05-2008, 05:03 PM
Moderator
  
Posts: 6,236
Default
Ok, so currently you can connect securely, but you can still connect insecurely - hence the recommendation to prevent at the firewall.

Say you want 389 open but not insecure communication:
See what security level TLS connections make (usually it's 256 - depends on your key strength though) then add add security tls=256 to /opt/zimbra/conf/sldapd.conf.in
security ssf=256 would be better to require all communications be 256 enc
security ssf=256 simple_bind=256

Open: Bug 20739 - make force-TLS for LDAP configurable (hook up the ldap_require_tls attribute)

It was going to be 5.0.6, not finished so 5.0.7 that would contain the internal communication lock down: Bug 16601 - Secure Access To LDAP (ldap_starttls_supported and zimbra_require_interprocess_security)

Still open: Bug 15378 - Obviate the need for and disallow LDAP anonymous binds
Reply With Quote
  #6 (permalink)  
Old 06-05-2008, 07:30 PM
Member
  
Posts: 10
Default
So there is a way to make LDAP use TLS and require authentication? Is that what you mean by add security tls=256 to /opt/zimbra/conf/sldapd.conf?
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.