Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Security and location of zimbra server

  1. #1
    taisto is offline New Member
    Join Date
    Jun 2008
    Posts
    4
    Rep Power
    7

    Cool Security and location of zimbra server

    Hi Zimbra Gurus!

    I'm hoping that someone can clarify a thing that is puzzling me about deploying zimbra in my network, migrating away from an old squirrelmail installation.

    I have some fairly high security requirements on my installation, and the way zimbra works, seems to clash with my preconceptions.

    In my mind, to achieve good security, you should:
    * Never allow anyone on the internet to send traffic directly to an internal host on your *internal* network, no matter how encrypted.
    (If an internal host is hacked, it has access to EVERYTHING)

    * You always make sure that traffic enters your internal network through some kind of proxy/relay, located on your DMZ.

    * The external hosts on the DMZ can therefore be compromized without allowing those host complete access to internal resources.
    (A dmz-hacked host will at least be a little restricted on what it can do toward the internal network)

    * Also, you dont put important, sensitive data directly out on the Dmz.

    BUT I cant see how I can implement the above rules with Zimbra?

    Zimbra wants all the email to be stored locally on the zimbra server, it cant be configured to actually just use imap to fetch the email, and maybe cache in the database.

    This seems to tell me that zimbra must be my main mailserver, with all user accounts, and because of that, I either have to :
    * Allow all traffic directly from the internet to the zimbra server. ()
    * Put my zimbra server, with all my users email accounts, on the DMZ ()

    What I *want* is a "zimbra-proxy" on the dmz, and then keep all data on the inside.

    I'd appreciate any comments/help you can offer on how I can satisfy my security requirements....

    Regards
    Taisto

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Quote Originally Posted by taisto View Post
    What I *want* is a "zimbra-proxy" on the dmz, and then keep all data on the inside.
    Have you read the Mulit-Server installation Guide?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    taisto is offline New Member
    Join Date
    Jun 2008
    Posts
    4
    Rep Power
    7

    Default

    Oups!

    Not in detail it seems. I have been looking at the architecture pictures but missed the info on built in imap-proxy etc.

    However, it still seems that I have to allow http/s directly through to my "Zimbra/message store" right?

    Sure, I can proxy http/s as well, but it it means that if zimbra itself is hacked, the hacked machine is standing on the internal lan.....I cant get the ajax-webclient outside on the dmz, if I understand this...rajt?

  4. #4
    hillman's Avatar
    hillman is offline Moderator
    Join Date
    May 2007
    Location
    Vancouver, Canada
    Posts
    75
    Rep Power
    8

    Default

    Version 5.0.6 now has http proxy working. We haven't played with it much yet at our site, but it's there.

    We're also running Zimbra behind a firewall out our site, which is working fine.
    Steve Hillman
    IT Architect
    Simon Fraser University

  5. #5
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    I have both of my ZCS servers sitting on the Internet.

    I'm not sure why people believe a firewall appliance or router provide more protection than the firewall built into Linux. That simply isn't the case. And setting a PC in the DMZ leaves it wide open and therefore needs a firewall exactly like one setting directly on the Internet.

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Quote Originally Posted by Bill Brock View Post
    I'm not sure why people believe a firewall appliance or router provide more protection than the firewall built into Linux. That simply isn't the case.
    The Ultimate Firewall
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    Thanks for the suggestion. I'm anxious to try it out and see how it works. :-)

  8. #8
    NOZIL is offline Special Member
    Join Date
    Nov 2006
    Location
    Bordeaux, France
    Posts
    140
    Rep Power
    8

    Default

    We are currently having a multi server install (1 mta/ldap + 1 store) in DMZ.

    We plan to migrate to 5.0.6 and use zimbra proxy. But i have few questions about it. Excuse me if they are trivial...

    Acutally, users from outside, or from our lan, get to zimbra store (in dmz) using the same public address like myzimbraserver.mydomain.com. This zimbra server has a public ip address.

    When these 2 servers will be in lan, and a third zimbra proxy in dmz, what about

    - the ip addresses of the 2 zimbra servers in lan ?
    - the address of the server the users will have to type, when in lan, or when outside (dns ???)
    - where am i supposed to put a commercial certificate to have ssl security ? On the proxy ? on the Mailstore ? could these certificates be the same one ?
    - ports to open in our firewall to allow traffic from zimbra proxy to zimbra mta and store in lan ?

    Thanks for your help on this.
    Last edited by NOZIL; 06-13-2008 at 11:31 AM.

  9. #9
    taisto is offline New Member
    Join Date
    Jun 2008
    Posts
    4
    Rep Power
    7

    Default Dmz != Internet

    Quote Originally Posted by Bill Brock View Post
    I have both of my ZCS servers sitting on the Internet.

    I'm not sure why people believe a firewall appliance or router provide more protection than the firewall built into Linux. That simply isn't the case. And setting a PC in the DMZ leaves it wide open and therefore needs a firewall exactly like one setting directly on the Internet.
    That is NOT a DMZ, thats just a network.
    Dmz is(IMHO) a filtered network which will only allow specific traffic to a specific host. Actually I prefer the term SSN, but DMZ is a lot more commonly used so...

    Having a service/host directly reachable from the internet, placed on the internal lan, is just plain crazy. (Except when it comes to OpenBSD of course ;-))
    If that host is breached it will have access to all internal clients, all internal servers, and be able to do traffic analysis on the internal network, gobbling up every password used by all your users. (Switches are not very tricky to fool)

    And that is why I am think that just a http-proxy function is not a good enough solution.
    Bugs exist _everywhere_. Anyone who claims otherwise is either mad, stupid, or both.

    From a security perspective I must assume that zimbra *might* be hacked.
    IF it's hacked, my intuitive estimate is that such a bug will more likely be in the application layer than in the http protocol, and in other words, running an http-proxy will essentially "relay" this bug towards an internal host, and it will be the internal host which is breached, not the http-function on the dmz host.
    In other words, http-proxy will not give me any additional security.
    If I at least could have run this on OpenBSD

    Regards
    Taisto

  10. #10
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    DMZ is setting your computer outside of the firewall. That is what a DMZ is by definition. If you are referring to port forwardind that is another thing.

    I have been fortunate enough to work for a regional ISP a few years back and all of their servers, web as well as mail were sitting right on the internet. I guess it's each his own.
    Last edited by Bill Brock; 06-16-2008 at 03:47 AM.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. LDAP/LDAPS - how to???
    By jdell in forum Administrators
    Replies: 10
    Last Post: 07-06-2007, 09:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •