Firewall ports in Zimbra

One of the main weapons of modern cybercriminals is the port scanner, thanks to which they find servers that are susceptible to certain vulnerabilities and then attack them. That is why one of the main rules to ensure the cyber security of a server is a competent firewall configuration. An optimally tuned network traffic filtering system is able to neutralize most cyber threats without the use of other cybersecurity solutions

Zimbra OSE Firewall Ports

Since Zimbra Open Source actively uses various network ports for both external and internal system connections, it will be optimal to create a so-called ” White List ” in the firewall rules. In practice, the administrator might first go and prohibit any connections to all ports on the server, and then open only those that are necessary for normal server operation.

At this point, clearly, the Zimbra server administrator is invariably faced with the question of knowing which ports should be open and which should not be touched.

External connections ports:

  • 25 Port for incoming mail in postfix
  • 80 Port for unsecured connection to the Zimbra web client
  • 110 Port for receiving mail from a remote server using the POP3 protocol
  • 143 Port for accessing email via IMAP protocol
  • 443 Port for secure connection to the Zimbra web client
  • 465 Deprecated port, but still used since in some cases it is considered safer than 587. It requires on-connection ssl
  • 587 Port for smtp autenticated relay. It usually, requires the use of starttls (or opportunistic ssl/tls)
  • 993 Port for secure access to e-mail using the IMAP protocol
  • 995 Port for secure receipt of mail from a remote server using the POP3 protocol

Internal connections ports:

As already mentioned, in addition to external connections, a lot of internal connections are also carried out in the Zimbra Collaboration Suite, which also occur on various ports. Therefore, when such ports are included in the “white list“, it is worth making sure that only local users can connect to them.

  • 389 Port for unsecured LDAP connection
  • 636 Port for secure connection to LDAP
  • 3310 Port for connecting to ClamAV antivirus
  • 7025 Port for local mail exchange using the LMTP protocol
  • 7047 Port used by the server to convert attachments
  • 7071 Port for secure access to the administrator console
  • 7072 Port for discovery and authentication in nginx
  • 7073 Port for SASL discovery and authentication
  • 7110 Port for accessing internal POP3 services
  • 7143 Port for accessing internal IMAP services
  • 7171 Port for accessing the Zimbra configuration daemon zmconfigd
  • 7306 Port for accessing MySQL
  • 7780 Port for accessing the spell checker service
  • 7993 Port for secure access to internal IMAP services
  • 7995 Port for secure access to internal POP3 services
  • 8080 Port for accessing internal HTTP services
  • 8443 Port for accessing internal HTTPS services
  • 9071 This port can be used when admin enable the nginx support for admin console and mailboxd is on the same host, so to not overlap the 2 service mailbox needs to change it.
  • 10024 Port for Amavis to communicate with Postfix
  • 10025 Port for Amavis to communicate with OpenDKIM
  • 10026 Port for configuring Amavis policies
  • 10028 Port for Amavis communication with content filter
  • 10029 Port for accessing Postfix archives
  • 10032 Port for Amavis communication with SpamAssassin spam filter
  • 23232 Port for accessing internal Amavis services
  • 23233 Port for access to snmp-responder
  • 11211 Port for access to memcached

Multiserver

Keep in mind that if, in case Zimbra is installed on a single server, you can get away with a minimum set of open ports, in case, however, your company has installed Zimbra on several servers, then you’ll have to open the following ports: 25, 80, 110, 143, 443, 465, 587, 993, 995

Such a set of ports open for connection will ensure normal communication between servers. At the same time, the Zimbra administrator must always remember that, for example, an open port for accessing LDAP is a serious threat to the information security of an enterprise.

SMTP/IMAP/POP3

Please note than smtp, imap, pop ports should be exposed only if really needed, and preferably only throught a vpn tunnel, if possible, to reduce the attack surface.

Comments

23/07/2021 0

Hi Michele, I am confused about that statement: your company has installed Zimbra on several servers, then you’ll have to open the following ports: 25, 80, 110, 143, 443, 465, 587, 993, 995 I have a single server and if I don't open the above ports on my router's Virtual Server, then my Zimbra server cannot receive or send any emails to the internet, so aren't those ports mandatory to open no matter the number of servers? Can you please specify which ones are to be opened on the router's side for a secure communication? Thank you

Matt
28/07/2021 0

Hello @rony, I guess that the goal of the article is to list the ports used by Zimbra and give more details on them, so SysAdmins can properly configure their firewall to block unnecessary connections to some ports. For instance, if you don't use POP3 or IMAP services but only Exchange ActiveSync you can close 110, 143, 993 and 995 ports, or at least block connections from the Internet to those ports. Some firewalls also permit blocking connections from geographical areas, so maybe if you actually use IMAP(S) but your users connect only from Italy you can block connections to that ports from other countries. I suggest checking the ports in the article and evaluate if the relative services are used and where the connections will come from, so you can configure your firewall to reduce the attack surface. Hope this helps.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How to setup External Active Directory Authentication
Zimbra on Mobile Devices