Security and location of zimbra server

[taisto]

Hi Zimbra Gurus!

I'm hoping that someone can clarify a thing that is puzzling me about deploying zimbra in my network, migrating away from an old squirrelmail installation.

I have some fairly high security requirements on my installation, and the way zimbra works, seems to clash with my preconceptions.

In my mind, to achieve good security, you should:
* Never allow anyone on the internet to send traffic directly to an internal host on your *internal* network, no matter how encrypted.
(If an internal host is hacked, it has access to EVERYTHING)

* You always make sure that traffic enters your internal network through some kind of proxy/relay, located on your DMZ.

* The external hosts on the DMZ can therefore be compromized without allowing those host complete access to internal resources.
(A dmz-hacked host will at least be a little restricted on what it can do toward the internal network)

* Also, you dont put important, sensitive data directly out on the Dmz.

BUT I cant see how I can implement the above rules with Zimbra?

Zimbra wants all the email to be stored locally on the zimbra server, it cant be configured to actually just use imap to fetch the email, and maybe cache in the database.

This seems to tell me that zimbra must be my main mailserver, with all user accounts, and because of that, I either have to :
* Allow all traffic directly from the internet to the zimbra server. ()
* Put my zimbra server, with all my users email accounts, on the DMZ ()

What I *want* is a "zimbra-proxy" on the dmz, and then keep all data on the inside.

I'd appreciate any comments/help you can offer on how I can satisfy my security requirements....

Regards
Taisto

[phoenix]

Quote:

Originally Posted by taisto

What I *want* is a "zimbra-proxy" on the dmz, and then keep all data on the inside.

Have you read the Mulit-Server installation Guide?

[taisto]

Oups!

Not in detail it seems. I have been looking at the architecture pictures but missed the info on built in imap-proxy etc.

However, it still seems that I have to allow http/s directly through to my "Zimbra/message store" right?

Sure, I can proxy http/s as well, but it it means that if zimbra itself is hacked, the hacked machine is standing on the internal lan.....I cant get the ajax-webclient outside on the dmz, if I understand this...rajt?

[hillman]

Version 5.0.6 now has http proxy working. We haven't played with it much yet at our site, but it's there.

We're also running Zimbra behind a firewall out our site, which is working fine.

[Bill Brock]

I have both of my ZCS servers sitting on the Internet.

I'm not sure why people believe a firewall appliance or router provide more protection than the firewall built into Linux. That simply isn't the case. And setting a PC in the DMZ leaves it wide open and therefore needs a firewall exactly like one setting directly on the Internet.

[phoenix]

Quote:

Originally Posted by Bill Brock

I'm not sure why people believe a firewall appliance or router provide more protection than the firewall built into Linux. That simply isn't the case.

The Ultimate Firewall

[Bill Brock]

Thanks for the suggestion. I'm anxious to try it out and see how it works. :-)

[NOZIL]

We are currently having a multi server install (1 mta/ldap + 1 store) in DMZ.

We plan to migrate to 5.0.6 and use zimbra proxy. But i have few questions about it. Excuse me if they are trivial...

Acutally, users from outside, or from our lan, get to zimbra store (in dmz) using the same public address like myzimbraserver.mydomain.com. This zimbra server has a public ip address.

When these 2 servers will be in lan, and a third zimbra proxy in dmz, what about

- the ip addresses of the 2 zimbra servers in lan ?
- the address of the server the users will have to type, when in lan, or when outside (dns ???)
- where am i supposed to put a commercial certificate to have ssl security ? On the proxy ? on the Mailstore ? could these certificates be the same one ?
- ports to open in our firewall to allow traffic from zimbra proxy to zimbra mta and store in lan ?

Thanks for your help on this.

[taisto]

Quote:

Originally Posted by Bill Brock

I have both of my ZCS servers sitting on the Internet.

I'm not sure why people believe a firewall appliance or router provide more protection than the firewall built into Linux. That simply isn't the case. And setting a PC in the DMZ leaves it wide open and therefore needs a firewall exactly like one setting directly on the Internet.

That is NOT a DMZ, thats just a network.
Dmz is(IMHO) a filtered network which will only allow specific traffic to a specific host. Actually I prefer the term SSN, but DMZ is a lot more commonly used so...

Having a service/host directly reachable from the internet, placed on the internal lan, is just plain crazy. (Except when it comes to OpenBSD of course ;-))
If that host is breached it will have access to all internal clients, all internal servers, and be able to do traffic analysis on the internal network, gobbling up every password used by all your users. (Switches are not very tricky to fool)

And that is why I am think that just a http-proxy function is not a good enough solution.
Bugs exist _everywhere_. Anyone who claims otherwise is either mad, stupid, or both.

From a security perspective I must assume that zimbra *might* be hacked.
IF it's hacked, my intuitive estimate is that such a bug will more likely be in the application layer than in the http protocol, and in other words, running an http-proxy will essentially "relay" this bug towards an internal host, and it will be the internal host which is breached, not the http-function on the dmz host.
In other words, http-proxy will not give me any additional security.
If I at least could have run this on OpenBSD

Regards
Taisto

[Bill Brock]

DMZ is setting your computer outside of the firewall. That is what a DMZ is by definition. If you are referring to port forwardind that is another thing.

I have been fortunate enough to work for a regional ISP a few years back and all of their servers, web as well as mail were sitting right on the internet. I guess it's each his own.