In this guide, we’re going to look at how to secure your Zimbra collaborative suite on CentOS 7, Debian and Ubuntu server using Firewalld and Ufw respectively. If your server is running CentOS 6.x, you can use UFW or raw iptables commands for it, but the port numbers remain the same.
Installing UFW on Ubuntu and CentOS
Install UFW on Ubuntu using the commands:
sudo apt-get update && sudo apt-get -y install ufw
For CentOS, the ufw package is available on EPEL repositories, add it as below:
sudo yum -y install epel-release
sudo yum makecache fast
sudo yum -y install ufwInstalling Firewalld on CentOS / Fedora / RHEL
If your CentOS doesn’t ship with firewalld ready, you can install it using the commands:
sudo yum -y install firewalldStart and enable the firewalld service.
sudo systemctl start firewalld
sudo systemctl enable firewalldRember to add your ssh port first so that you don’t get kicked out.
For Debian, check installing Firewalld on Debian
Configure Zimbra Firewall using UFW
Because of recent Memcache amplification attacks for UDP ports, we won’t enable udp port of Memcache on the firewall – port 11211/udp. We’ll only leave tcp port open, which is safe from these attacks. Read more about Memcache Major amplification.
For ufw, we’re going to create an application profile for UFW called Zimbra. So, let’s create this profile as below.
sudo vim /etc/ufw/applications.d/zimbraAdd the following content:
[Zimbra]
title=Zimbra Collaboration Server
description=Open source server for email, contacts, calendar, and more.
ports=22,25,80,110,143,161,389,443,465,514,587,993,995,7071,8443,11211/tcpEnable app profile on ufw
sudo ufw allow Zimbra
sudo ufw enableAdd ssh port as well.
sudo ufw allow sshIf you make any changes to the Zimbra profile, update it using:
$ sudo ufw app update Zimbra
Rules updated for profile 'Zimbra'
Skipped reloading firewallFor a single server installation, Memcache is not used outside the local server. Consider binding it to the loopback ip address. Use the commands:
sudo su - zimbra
zmprov ms zmhostname zimbraMemcachedBindAddress 127.0.0.1
zmprov ms zmhostname zimbraMemcachedClientServerList 127.0.0.1
Then restart Memcached service.
sudo su - zimbra -c "zmmemcachedctl restart"Configure Zimbra Firewall using Firewalld
For firewalld users, first, confirm that firewalld is in running state.
sudo firewall-cmd --state runningIf not running, start it using.
sudo systemctl start firewalldThen configure Zimbra ports and services on the firewall.
sudo firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
sudo firewall-cmd --add-port 7071/tcp --permanent
sudo firewall-cmd -add-port 8443/tcp --permanentReload firewalld configurations,
sudo firewall-cmd --reloadYou can confirm runtime settings using:
$ sudo firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https imap imaps pop3 pop3s smtp smtps snmp ssh
ports: 7071/tcp 8443/tcp
...Restricting access to Admin dashboard
It is a good practice to always restrict access to port 7071 to a trusted network or IP address. For UFW, this is done using the command:
sudo ufw allow from 192.168.1.10 to any port 7071
sudo ufw allow from 192.168.1.0/24 to any port 7071With firewalld, you can use Rich Rules.
sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" \
source address="192.168.1.10/32" port protocol="tcp" port="7071" accept'
sudo firewall-cmd --reload
You should now have a secured Zimbra setup. We have other email related articles you can take a look.
Ref: https://wiki.zimbra.com/index.php?title=Blocking_Memcached_Attack
Also check:
- How to Restore Zimbra LDAP database from Backup
- How to solve Zimbra zmconfigd not running/starting
- Install Zextras Suite on Zimbra CentOS 7
- Zimbra Multi-Server Installation on CentOS 7
- How to Set Secure Password Policy on Zimbra
- Configure whitelist and blacklist Zimbra Amavis Spam filtering
