In this guide, we’re going to look at how to secure your Zimbra collaborative suite on CentOS 7, Debian and Ubuntu server using Firewalld and Ufw respectively. If your server is running CentOS 6.x, you can use UFW or raw iptables commands for it, but the port numbers remain the same.

Installing UFW on Ubuntu and CentOS

Install UFW on Ubuntu using the commands:

sudo apt-get update && sudo apt-get -y install ufw

For CentOS, the ufw package is available on EPEL repositories, add it as below:

sudo yum -y install epel-release
sudo yum makecache fast
sudo yum -y install ufw

Installing Firewalld on CentOS 7.x

If your CentOS doesn’t ship with firewalld ready, you can install it using the commands:

sudo makecache fast
sudo yum -y install firewalld

Start and enable the firewalld service.

sudo systemctl start firewalld
sudo systemctl enable firewalld

Rember to add your ssh port first so that you don’t get kicked out.

For Debian, check installing Firewalld on Debian

Configure Zimbra Firewall using UFW

Because of recent Memcache amplification attacks for UDP ports, we won’t enable udp port of Memcache on the firewall – port 11211/udp. We’ll only leave tcp port open, which is safe from these attacks. Read more about Memcache Major amplification.

For ufw, we’re going to create an application profile for UFW called Zimbra. So, let’s create this profile as below.

sudo vim /etc/ufw/applications.d/zimbra

Add the following content:

title=Zimbra Collaboration Server
description=Open source server for email, contacts, calendar, and more.

Enable app profile on ufw

sudo ufw allow Zimbra
sudo ufw enable

Add ssh port as well.

sudo ufw allow ssh

If you make any changes to the Zimbra profile, update it using:

$ sudo ufw app update Zimbra
Rules updated for profile 'Zimbra'
Skipped reloading firewall

For a single server installation, Memcache is not used outside the local server. Consider binding it to the loopback ip address. Use the commands:

sudo su - zimbra
zmprov ms zmhostname zimbraMemcachedBindAddress 
zmprov ms zmhostname zimbraMemcachedClientServerList

Then restart Memcached service.

sudo su - zimbra -c "zmmemcachedctl restart"

Configure Zimbra Firewall using Firewalld

For firewalld users, first, confirm that firewalld is in running state.

sudo firewall-cmd --state running

If not running, start it using.

sudo systemctl start firewalld

Then configure Zimbra ports and services on the firewall.

sudo firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
sudo firewall-cmd --add-port 7071/tcp --permanent
sudo firewall-cmd -add-port 8443/tcp --permanent

Reload firewalld configurations,

sudo firewall-cmd --reload

You can confirm runtime settings using:

$ sudo firewall-cmd --list-all
target: default
icmp-block-inversion: no
services: dhcpv6-client http https imap imaps pop3 pop3s smtp smtps snmp ssh
ports: 7071/tcp  8443/tcp

Restricting access to Admin dashboard

It is a good practice to always restrict access to port 7071 to a trusted network or IP address. For UFW, this is done using the command:

$ sudo ufw allow from to any port 7071
$ sudo ufw allow from to any port 7071

With firewalld, you can use Rich Rules.

sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="" port protocol="tcp" port="7071" accept'
sudo firewall-cmd --reload

You should now have a secured Zimbra setup. We have other email related articles you can take a look.


Also check:

How to Restore Zimbra LDAP database from Backup

How to solve Zimbra zmconfigd not running/starting

Install Zextras Suite on Zimbra CentOS 7

Zimbra Multi-Server Installation on CentOS 7

How to Set Secure Password Policy on Zimbra

Configure whitelist and blacklist Zimbra Amavis Spam filtering

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here