How to Properly Set Up Firewalls on Zimbra Servers | Zimbra

A firewall is a network security mechanism that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet).

Firewalls analyze incoming traffic based on pre-established rules and filter traffic coming from unsecured or suspicious sources to prevent attacks.

In this article, we will discuss firewalls on Zimbra servers, their importance, and see how to set them up to prevent specific attacks.

Firewall in Zimbra Servers

Zimbra server has several ports in action that are used for various purposes of communication. Some are significant for public communication and some are significant for local communication. At the very beginning, all ports are open for all by default. This can cause/create unwanted vulnerabilities in the Zimbra server. That’s why we need to restrict the connection of these ports as per our requirement.

It means that the HTTP port should only be used by local users, in other words, port 80 should only be accessible by local users, otherwise, an open port 80 can cause security threats/vulnerabilities in the Zimbra server.

We will describe the details of various ports later in this article.

How Hackers Exploit Open Ports

If a firewall has marked a port closed then it will immediately discard any packets with that destination port number.

If the port is not marked closed, then it will check to see if there is an application that has registered itself to receive packets sent to that port number (like the web server in the previous example). If there is no program, the packet will still be discarded.

How the hacker can make use of an open port relies completely on there being an insecure program on your computer. For example, if a packet arrives destined for port 80, and there is an application listening for communication on port 80 and that application can be taken over by sending it certain information – then a hacker that knows about this vulnerability (or using a tool that knows about it) can take over that program.

How to Properly Set Up Firewalls on Zimbra Servers

In an open-source environment, a firewall plays a crucial role to secure the system. When we set up a Zimbra server, we should set policy against it’s all necessary ports so that we can secure them from any unwanted vulnerability.

As per Zimbra’s official guidelines, below mentioned ports are considered as standard:

SMTP25TCPPublic
HTTP80TCPshould probably be limited by a firewall to your local network only
POP3110TCPshould probably be limited by a firewall to your local network only
IMAP143TCPshould probably be limited by a firewall to your local network only
LDAP389TCPshould probably be limited by a firewall to your local network only
HTTPS443TCPPublic
SMTPS465TCPPublic
SMTP Submission587TCPPublic
IMAPS993TCPPublic
POP3S995TCPPublic
Admin Interface7071TCPshould probably be limited by a firewall to your local network only
SOAP Auth7073TCPshould probably be limited by a firewall to your local network only
LMTP7025TCPshould probably be limited by a firewall to your local network only

For Ubuntu

To allow access to your management subnet xxx.xxx.xxx.xxx/yy

ufw allow from x.x.x.x/y

and in the /etc/ufw/applications.d/zimbra file, include

title=Zimbra Collaboration Server

description=Open source server for email, contacts, calendar, and more.

ports=25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071/tcp

and then

ufw allow Zimbra
ufw enable
ufw status

What is a Memchached Attack?

As open-source software, Memcached could be vulnerable to attacks. This became apparent in 2018 when a new form of DDoS attack was launched. Cyber attackers sent spoof requests, which mask the real identity of a sender by cloaking their IP address, to a vulnerable UDP Memcached server.

A UDP, or User Datagram Protocol, is particularly vulnerable as it allows data to be transferred before the end receiving party agrees to the communication, for example, a quick video playback. Hackers sent these spoof requests to the server, flooding the victims with high volumes of traffic and crashing the servers.

As with traditional DDoS attacks, Memcached attacks result in an overloaded server, denying service to genuine website users.

Configure Firewall to Protect Zimbra Servers from Memcached Attacks:

In a single server environment, you can configure Memcached to listen only on 127.0.0.1 to avoid these attacks

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

Restart Memcached

zmmemcachedctl restart

Download Zextras Suite for Zimbra OSE
What is Personal Data? The GDPR's Definition | Blog
Those 5 GDPR myths can harm your business. Did you fall for them? | Blog