(Last Updated On: February 20, 2019)

In this guide, we’re going to look at how to secure your Zimbra collaborative suite on CentOS 7.x and Ubuntu server using Firewalld and Ufw respectively. If your server is running CentOS 6.x, you can use UFW or raw iptables commands for it, but the port numbers remain the same.

Installing UFW on Ubuntu and CentOS

Install UFW on Ubuntu using the commands:

sudo apt-get update && sudo apt-get -y install ufw

For CentOS, the ufw package is available on EPEL repositories, add it as below:

sudo yum -y install epel-release
sudo yum makecache fast
sudo yum -y install ufw

Installing Firewalld on CentOS 7.x

If your CentOS doesn’t ship with firewalld ready, you can install it using the commands:

sudo makecache fast
sudo yum -y install firewalld

Start and enable the firewalld service.

sudo systemctl start firewalld
sudo systemctl enable firewalld

Rember to add your ssh port first so that you don’t get kicked out.

Configure Zimbra Firewall using UFW

Because of recent Memcache amplification attacks for UDP ports, we won’t enable udp port of Memcache on the firewall – port 11211/udp. We’ll only leave tcp port open, which is safe from these attacks. Read more about Memcache Major amplification.

For ufw, we’re going to create an application profile for UFW called Zimbra. So, let’s create this profile as below.

sudo vim /etc/ufw/applications.d/zimbra

Add the following content:

[Zimbra]

title=Zimbra Collaboration Server
description=Open source server for email, contacts, calendar, and more.
ports=22,25,80,110,143,161,389,443,465,514,587,993,995,7071,8443,11211/tcp

Enable app profile on ufw

sudo ufw allow Zimbra
sudo ufw enable

Add ssh port as well.

sudo ufw allow ssh

If you make any changes to the Zimbra profile, update it using:

$ sudo ufw app update Zimbra
Rules updated for profile 'Zimbra'
Skipped reloading firewall

For a single server installation, Memcache is not used outside the local server. Consider binding it to the loopback ip address. Use the commands:

su - zimbra
zmprov ms zmhostname zimbraMemcachedBindAddress 127.0.0.1
zmprov ms zmhostname zimbraMemcachedClientServerList 127.0.0.1

Then restart Memcached service.

su - zimbra -c "zmmemcachedctl restart"

Configure Zimbra Firewall using Firewalld

For firewalld users, first, confirm that firewalld is in running state.

sudo firewall-cmd --state running

If not running, start it using.

sudo systemctl start firewalld

Then configure Zimbra ports and services on the firewall.

sudo firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
sudo firewall-cmd --add-port 7071/tcp --permanent
sudo firewall-cmd -add-port 8443/tcp --permanent

Reload firewalld configurations,

sudo firewall-cmd --reload

You can confirm runtime settings using:

$ sudo firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https imap imaps pop3 pop3s smtp smtps snmp ssh
ports: 7071/tcp  8443/tcp
...

Restricting access to Admin dashboard

It is a good practice to always restrict access to port 7071 to a trusted network or IP address. For UFW, this is done using the command:

$ sudo ufw allow from 192.168.1.10 to any port 7071
$ sudo ufw allow from 192.168.1.0/24 to any port 7071

With firewalld, you can use Rich Rules.

sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10/32" port protocol="tcp" port="7071" accept'
sudo firewall-cmd --reload

You should now have a secured Zimbra setup. We have other email related articles you can take a look.

Ref: https://wiki.zimbra.com/index.php?title=Blocking_Memcached_Attack

Also check:

How to Restore Zimbra LDAP database from Backup

How to solve Zimbra zmconfigd not running/starting

Install Zextras Suite on Zimbra CentOS 7

Zimbra Multi-Server Installation on CentOS 7

How to Set Secure Password Policy on Zimbra

Configure whitelist and blacklist Zimbra Amavis Spam filtering