How to set up a firewall on the server with Zimbra?

    One of the main tools of a modern cybercriminal is a port scanner, thanks to which they find servers vulnerable to one or another vulnerability and then attack them. That is why one of the main rules for ensuring information security of a server is the proper configuration of a firewall. An optimally tuned network traffic filtering system is able to neutralize the lion’s share of cyber threats without using other information security solutions.


    Zimbra makes extensive use of various network ports for both external and internal system connections. That is why the most optimal for it will be the creation of the so-called “White List” in the firewall rules. That is, the administrator first prohibits any connections to any ports on the server, and then opens only those that are necessary for the normal operation of the server. And it is at this stage that the Zimbra server administrator invariably faces the question of which ports should be opened and which ones should not be touched. Let's take a look at what ports and why Zimbra uses to make it easier for you to make a decision about building your own “white list” in the firewall.

    For external connections, Zimbra can use up to 12 ports, including:

    • 25 Port for incoming mail in postfix
    • 80 Port for unprotected connection to Zimbra web client
    • 110 Port for receiving mail from a remote server using POP3 protocol
    • 143 Port for access to email via IMAP protocol
    • 443 Port for secure connection to Zimbra web client
    • 587 Port for incoming mail with connection security
    • 993 Port for secure access to e-mail using IMAP
    • 995 Port for securely receiving mail from a remote server using POP3 protocol
    • 5222 Port for connecting to the server via XMPP
    • 5223 Port for secure connection to the server via XMPP
    • 9071 Port for secure connection to the administrator console

    As already mentioned, in addition to external connections, the Zimbra Collaboration Suite also has a lot of internal connections that also occur on different ports. Therefore, when such ports are included in the “white list”, it is worth ensuring that only local users have the ability to connect to them.

    • 389 Port for non-secure LDAP connection
    • 636 Port for secure LDAP connection
    • 3310 Port for connecting to the ClamAV antivirus
    • 5269 Port for communication between servers in the same cluster using XMPP
    • 7025 Port for local LMTP mail exchange
    • 7047 Port used by the server to convert attachments
    • 7071 Port for secure access to the administrator console
    • 7072 Port for detection and authentication in nginx
    • 7073 Port for discovery and authentication in SASL
    • 7110 Port for access to internal POP3 services
    • 7143 Port for accessing internal IMAP services
    • 7171 Port for access to the Zimbra configuration daemon zmconfigd
    • 7306 Port for access to MySQL
    • 7780 Port for access to spell checker
    • 7993 Port for secure access to internal IMAP services
    • 7995 Port for secure access to internal POP3 services
    • 8080 Port for accessing internal HTTP services
    • 8443 Port for access to internal HTTPS services
    • 8735 Port for communication between mailboxes
    • 8736 Port for access to Zextras distributed configuration service
    • 10024 Port for communication of Amavis with Postfix
    • 10025 Port for communication of Amavis with OpenDKIM
    • 10026 Port for configuring Amavis policies
    • 10028 Amavis communication port with content filter
    • 10029 Port for access to archives Postfix
    • 10032 Port for communication Amavis with SpamAssassin spam filter
    • 23232 Port for access to internal services of Amavis
    • 23233 Port for access to snmp-responder
    • 11211 Port for access to memcached

    Note that if, in the case when Zimbra runs only on one server, you can get by with a minimal set of open ports. But if in your enterprise Zimbra is installed on several servers, then you will have to open 14 ports with numbers 25, 80, 110, 143, 443, 465, 587, 993, 995, 3443, 5222, 5223, 7071, 9071 . Such a set of open ports for connection will ensure normal communication between servers. At the same time, the Zimbra administrator should always remember that, for example, an open port for accessing LDAP is a serious threat to the information security of an enterprise.

    In Ubuntu, this can be done using the standard Uncomplicated Firewall utility. To do this, we first need to allow connections from the subnets to which the connection will occur. For example, let's allow connections to the server from the local network using the command:
    ufw allow from
    And then edit the /etc/ufw/applications.d/zimbra file with the rules for connecting to Zimbra to bring it to the following form:
    title = Zimbra Collaboration Server
    description = Open source server for email, contacts, calendar, and more.
    ports = 25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071 / tcp
    Then you need to execute three commands in order for the changes we make to take effect:
    ufw allow Zimbra
    ufw enable
    ufw status
    Thus, a simple “white list” setting in a firewall is able to reliably protect the correspondence stored on your mail server from most cybercriminals. However, you should not rely only on a firewall while ensuring information security of the mail server. In the event that attackers gain access to the internal network of your enterprise, or if one of the company's employees turns up to be a cybercriminal, restricting incoming connections is unlikely to help.

    Upd. Particular attention should be paid to port 11211, on which memcached is running. It is he who is involved in the memcrashd, a popular variety of cyber attacks.

    Detailed instructions on how to defend against this attack are available on the official website of the Zimbra Collaboration Suite .

    Also popular now: