(Last Updated On: April 16, 2018)

In this guide, we’re going to look at how to secure your Zimbra collaborative suite on CentOS 7.x and Ubuntu server using Firewalld and Ufw respectively. If your server is running CentOS 6.x, you can use UFW or raw iptables commands for it, but the port numbers remain the same.

Installing UFW on Ubuntu and CentOS

Install UFW on Ubuntu using the commands:

$ sudo apt-get update && apt-get -y install ufw

For CentOS, the ufw package is available on EPEL repositories, add it as below:

$ sudo yum -y install epel-release
$ sudo yum makecache fast
$ sudo yum -y install ufw

Installing Firewalld on CentOS 7.x

If your CentOS doesn’t ship with firewalld ready, you can install it using the commands:

$ sudo makecache fast
$ sudo yum -y install firewalld

Start and enable the firewalld service.

$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld

Rember to add your ssh port first so that you don’t get kicked out.

Configure Zimbra Firewall using UFW

Because of recent Memcache amplification attacks for UDP ports, we won’t enable udp port of Memcache on the firewall – port 11211/udp. We’ll only leave tcp port open, which is safe from these attacks. Read more about Memcache Major amplification.

For ufw, we’re going to create an application profile for UFW called Zimbra. So, let’s create this profile as below.

# sudo vim /etc/ufw/applications.d/zimbra

Add the following content:

[Zimbra]

title=Zimbra Collaboration Server
description=Open source server for email, contacts, calendar, and more.
ports=22,25,80,110,143,161,389,443,465,514,587,993,995,7071,11211/tcp

Enable app profile on ufw

$ sudo ufw allow Zimbra
$ sudo ufw enable
$ sudo ufw status 
Status: active

Add ssh port as well.

$ sudo ufw allow ssh

If you make any changes to the Zimbra profile, update it using:

$ sudo ufw app update Zimbra
Rules updated for profile 'Zimbra'
Skipped reloading firewall

For a single server installation, Memcache is not used outside the local server. Consider binding it to the loopback ip address. Use the commands:

$ su - zimbra
$ zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 
$ zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

Then restart Memcached service.

$ su - zimbra -c "zmmemcachedctl restart"

Configure Zimbra Firewall using Firewalld

For firewalld users, first, confirm that firewalld is in running state.

$ sudo firewall-cmd --state
running

If not running, start it using.

$ sudo systemctl start firewalld

Then configure Zimbra ports and services on the firewall.

$ sudo firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
$ sudo firewall-cmd --add-port 7071/tcp --permanent

Reload firewalld configurations,

$ sudo firewall-cmd --reload

You can confirm runtime settings using:

$ sudo firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https imap imaps pop3 pop3s smtp smtps snmp ssh
ports: 7071/tcp 
...

Restricting access to Admin dashboard

It is a good practice to always restrict access to port 7071 to a trusted network or IP address. For UFW, this is done using the command:

$ sudo ufw allow from 192.168.1.10 to any port 7071
$ sudo ufw allow from 192.168.1.0/24 to any port 7071

With firewalld, you can use Rich Rules.

sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10/32" port protocol="tcp" port="7071" accept'
sudo firewall-cmd --reload

You should now have a secured Zimbra setup. We have other email related articles you can take a look.

Ref: https://wiki.zimbra.com/index.php?title=Blocking_Memcached_Attack