One of the main weapons of modern cybercriminals is the port scanner, thanks to which they find servers that are susceptible to certain vulnerabilities and then attack them. That is why one of the main rules to ensure the cyber security of a server is a competent firewall configuration. An optimally tuned network traffic filtering system is able to neutralize most cyber threats without the use of other cybersecurity solutions
Zimbra OSE Firewall Ports
Since Zimbra Open Source actively uses various network ports for both external and internal system connections, it will be optimal to create a so-called ” White List ” in the firewall rules. In practice, the administrator might first go and prohibit any connections to all ports on the server, and then open only those that are necessary for normal server operation.
At this point, clearly, the Zimbra server administrator is invariably faced with the question of knowing which ports should be open and which should not be touched.
External connections ports:
- 25 Port for incoming mail in postfix
- 80 Port for unsecured connection to the Zimbra web client
- 110 Port for receiving mail from a remote server using the POP3 protocol
- 143 Port for accessing email via IMAP protocol
- 443 Port for secure connection to the Zimbra web client
- 465 Deprecated port, but still used since in some cases it is considered safer than 587. It requires on-connection ssl
- 587 Port for smtp autenticated relay. It usually, requires the use of starttls (or opportunistic ssl/tls)
- 993 Port for secure access to e-mail using the IMAP protocol
- 995 Port for secure receipt of mail from a remote server using the POP3 protocol
Internal connections ports:
As already mentioned, in addition to external connections, a lot of internal connections are also carried out in the Zimbra Collaboration Suite, which also occur on various ports. Therefore, when such ports are included in the “white list“, it is worth making sure that only local users can connect to them.
- 389 Port for unsecured LDAP connection
- 636 Port for secure connection to LDAP
- 3310 Port for connecting to ClamAV antivirus
- 7025 Port for local mail exchange using the LMTP protocol
- 7047 Port used by the server to convert attachments
- 7071 Port for secure access to the administrator console
- 7072 Port for discovery and authentication in nginx
- 7073 Port for SASL discovery and authentication
- 7110 Port for accessing internal POP3 services
- 7143 Port for accessing internal IMAP services
- 7171 Port for accessing the Zimbra configuration daemon zmconfigd
- 7306 Port for accessing MySQL
- 7780 Port for accessing the spell checker service
- 7993 Port for secure access to internal IMAP services
- 7995 Port for secure access to internal POP3 services
- 8080 Port for accessing internal HTTP services
- 8443 Port for accessing internal HTTPS services
- 9071 This port can be used when admin enable the nginx support for admin console and mailboxd is on the same host, so to not overlap the 2 service mailbox needs to change it.
- 10024 Port for Amavis to communicate with Postfix
- 10025 Port for Amavis to communicate with OpenDKIM
- 10026 Port for configuring Amavis policies
- 10028 Port for Amavis communication with content filter
- 10029 Port for accessing Postfix archives
- 10032 Port for Amavis communication with SpamAssassin spam filter
- 23232 Port for accessing internal Amavis services
- 23233 Port for access to snmp-responder
- 11211 Port for access to memcached
Keep in mind that if, in case Zimbra is installed on a single server, you can get away with a minimum set of open ports, in case, however, your company has installed Zimbra on several servers, then you’ll have to open the following ports: 25, 80, 110, 143, 443, 465, 587, 993, 995.
Such a set of ports open for connection will ensure normal communication between servers. At the same time, the Zimbra administrator must always remember that, for example, an open port for accessing LDAP is a serious threat to the information security of an enterprise.
Please note than smtp, imap, pop ports should be exposed only if really needed, and preferably only throught a vpn tunnel, if possible, to reduce the attack surface.