Where can I find a reference, about the security of Zimbra. Especially regarding the security of users' email storage on the server, whether encrypted or not?
I need this to convince my organization to use Zimbra, I am happy to fund if there are other references regarding all security Zimbra.
Do you have more specific questions regarding security?
Email is stored on the server in plain text, not encrypted. If you want to encrypt it, you will have to use a filesystem underneath the mailbox store that will do the encryption.
then, how does zimbra store emails? What is stored in a database like mysql, and what to do with ldap.
LDAP = Directory and configuration
MySQL = Folder and message metadata
Disk = Actual complete messages, and indexes for mailboxes for searching
Then, where should I start to make my email server completely secure, at least we have done is supposed to do. Given that the data is sent via email of important data, I'm afraid the data will be lost or stolen, either at the server or when the data was sent.
That's not covered in any kind of Zimbra documentation, since that issue isn't really related to Zimbra specifically. You could extrapolate that to any application you install on a server.
- You need to ensure the server is in a secure facility.
- Encrypt the file-system which Zimbra resides on (Google search file system encryption for your particular operating system to look for options). If your file system is on a SAN, you may have more commercial options.
- Ensure your firewalls are set up to block ports according to Zimbra documentation (see the Administrators guide)
None of this addresses the fact that email is in plain-text to the external world. The new version of Zimbra supports S/MIME in the licensed version, so you may want to read up on how S/MIME works. If you enforce S/MIME in your company, then you may not have to worry about file system encryption above.