====== Zimbra Firewall ======
FIXME This page could probably use a review and updating.
**Zimbra IP Ports Used**: http://wiki.zimbra.com/wiki/Ports
**Test Your Firewall**: http://scanme.firebind.com/applet.html
:!: Make sure your Zimbra server is working well before implementing a firewall. Suspect the firewall if something stops working or isn't working properly.
===== IPTABLES =====
http://wiki.zimbra.com/wiki/Firewall_Configuration
:!: Clustering requires additional ports.
:!: This example was from an older CentOS installation.
iptables -F #Flush current rules
iptables -I INPUT -p tcp --dport 22 -j ACCEPT #SSH
iptables -I INPUT -p tcp --dport 25 -j ACCEPT #SMTP
iptables -I INPUT -p tcp --dport 80 -j ACCEPT #HTTP (for webmail)
iptables -I INPUT -p tcp --dport 110 -j ACCEPT #POP3
iptables -I INPUT -p tcp --dport 143 -j ACCEPT #IMAP
iptables -I INPUT -p tcp --dport 443 -j ACCEPT #HTTPS
iptables -I INPUT -p tcp --dport 465 -j ACCEPT #SMTPS
iptables -I INPUT -p tcp --dport 587 -j ACCEPT #MSA (submission)
iptables -I INPUT -p tcp --dport 993 -j ACCEPT #IMAPS
iptables -I INPUT -p tcp --dport 995 -j ACCEPT #POP3S
iptables -I INPUT -p tcp --dport 7071 -j ACCEPT #Port for ZCS Web Administration
/etc/init.d/iptables save #Rules persist after reboot
===== CSF =====
See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]**
http://syslint.com/syslint/how-to-configure-zimbra-csf-the-best-zimbra-firewall-configuration/
:!: Reload or restart CSF and LFD for changes to be activated (''csf -ra'').
==== Postfix ====
**RegEx Tester**: https://www.regex101.com/
**Reference**: https://cloudpro.zone/index.php/2018/03/28/csf-lfd-regular-expressions/
Zimbra uses Postfix and Postfix is not directly supported by CSF, so we have to use a custom regex for LFD (log failure daemon). Note that the Postfix log format seems to change infrequently, so your custom regex may only work until the next log format change.
Consider these lines clipped from ''/var/log/mail.log'':
Oct 2 08:18:04 zimbra3 postfix/submission/smtpd[3670673]: warning: unknown[93.177.75.130]: SASL LOGIN authentication failed: authentication failure
Oct 5 14:27:13 zimbra3 postfix/smtps/smtpd[3656293]: warning: unknown[102.164.206.139]: SASL PLAIN authentication failed: authentication failure
Add a custom RegEx to detect authentication failures (5 failures, block ports 25 and 587, for 3600 seconds/1 hour):
vim /usr/local/csf/bin/regex.custom.pm
Insert in the middle, between the comments:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ .* postfix\/s.*\/smtpd\[\d+\]: warning: .*\[(\d+\.\d+\.\d+\.\d+)\]: SASL (LOGIN|PLAIN|login) authentication failed.*/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600");
}
:!: Group 1 ($1) matches the offending IP address.
Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:
vim /etc/csf/csf.conf
Change:
CUSTOM1_LOG = "/var/log/mail.log"
==== csf.allow ====
:!: This example is for Ubuntu 20.04 and Zimbra 9.
###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
192.168.1.0/24 # LAN network address
10.1.1.9 # NFS backup server
10.1.1.40 # Manually allowed
78.123.35.134 # Manually allowed
49.312.33.99 # Manually allowed
tcp|in|d=25|s=74.37.170.192/27 # Spam Filter Servers
tcp|in|d=25|s=74.36.242.64/27 # Spam Filter Servers
tcp|in|d=25|s=108.43.201.128/27 # Spam Filter Servers
tcp|in|d=25|s=57.225.140.128/26 # Spam Filter Servers
tcp|in|d=25|s=40.201.66.0/24 # Spam Filter Servers
udp|out|d=53|| # Outbound DNS query with random source port
# Zimbra Zextras Docs Server
tcp|in|d=389|s=98.167.189.29 # Allow LDAP from Zimbra Zextras Docs
tcp|in|d=8443|s=98.167.189.29 # Allow from Zimbra Zextras Docs
tcp|out|d=9980|d=98.167.189.29 # Allow to Zimbra Zextras Docs
# LDAP Testing
tcp|in|d=389|s=192.168.1.46 # Allow LDAP from a workstation
==== csf.pignore ====
:!: This example is for Ubuntu 20.04 with Zimbra 9.
These entries will minimize Process Tracking false alerts (entries for multiple Zimbra versions):
###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/lib/postfix/sbin/error
exe:/usr/lib/apt/methods/http
exe:/usr/sbin/rpcbind
exe:/usr/sbin/rpc.statd
exe:/usr/sbin/chronyd
exe:/usr/bin/lsmd
exe:/usr/bin/dbus-daemon
exe:/opt/zimbra/common/libexec/smtp
exe:/opt/zimbra/common/libexec/proxymap
exe:/opt/zimbra/common/libexec/smtpd
exe:/opt/zimbra/common/libexec/postscreen
exe:/opt/zimbra/common/sbin/nginx
exe:/opt/zimbra/common/libexec/showq
exe:/opt/zimbra/common/libexec/trivial-rewrite
exe:/opt/zimbra/common/libexec/anvil
exe:/opt/zimbra/common/libexec/tlsmgr
exe:/opt/zimbra/common/libexec/qmgr
exe:/opt/zimbra/common/libexec/pickup
exe:/opt/zimbra/common/libexec/cleanup
exe:/opt/zimbra/common/libexec/bounce
exe:/opt/zimbra/common/libexec/scache
cmd:/usr/bin/vmstat -n -S K 30
cmd:/usr/lib/polkit-1/polkitd --no-debug
cmd:/bin/bash /opt/zimbra/bin/zmloggerctl status norewrite
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/bin/bash /opt/zimbra/bin/zmopendkimctl status norewrite
cmd:/bin/bash /opt/zimbra/bin/zmstorectl status norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server
cmd:lmtp -t unix -u
cmd:/opt/zimbra/java/bin/java -version
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogprocess
cmd:/usr/bin/perl /opt/zimbra/bin/zmcontrol status
cmd:/usr/bin/perl /opt/zimbra/libexec/zmstatuslog
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news
cmd:/usr/bin/perl -T -w /opt/zimbra/zimbramon/bin/sa-update -v --allowplugins --refreshmirrors
cmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-update -v --allowplugins --refreshmirrors
cmd:/opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
cmd:/opt/zimbra/common/sbin/clamd --config-file=/opt/zimbra/conf/clamd.conf
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services msg-forwarder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services childproc-minder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services snmp-responder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-mc
cmd:nginx: worker process
cmd:nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf
cmd:/opt/zimbra/common/sbin/unbound
cmd:/opt/zimbra/common/bin/mdb_stat -e /opt/zimbra/data/ldap/mdb/db
cmd:/opt/zimbra/common/libexec/slapd -l LOCAL0 -u zimbra -h ldap://zimbra.virtualarchitects.com:389 ldapi:/// -F /opt/zimbra/data/ldap/config
cmd:/opt/zimbra/common/sbin/saslauthd -r -a zimbra
cmd:/opt/zimbra/common/sbin/opendkim -x /opt/zimbra/conf/opendkim.conf -u zimbra
cmd:/opt/zimbra/common/libexec/scache
cmd:/opt/zimbra/common/bin/java -version
cmd:/bin/bash /opt/zimbra/bin/zmhostname
cmd:/bin/bash /opt/zimbra/bin/zmlocalconfig -m nokey zimbra_server_hostname
cmd:/bin/bash /opt/zimbra/bin/zmantispamctl status
cmd:/bin/bash /opt/zimbra/bin/zmmilterctl status
cmd:/usr/bin/redis-server 127.0.0.1:0
cmd:/usr/sbin/rsyslogd -n -iNONE
cmd:(sd-pam)
cmd:/usr/sbin/atd -f
cmd:/lib/systemd/systemd-timesyncd
cmd:/lib/systemd/systemd-networkd
cmd:/lib/systemd/systemd --user
cmd:/bin/bash /opt/zimbra/bin/zmmtactl status norewrite
pcmd:/usr/bin/perl /opt/zimbra/libexec/auditswatch.*
pcmd:sh -c /opt/zimbra/bin/zmantivirusctl.*
pcmd:/bin/bash /opt/zimbra/bin/zmantivirusctl.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/libexec/sa-learn.*
pcmd:/bin/bash /opt/zimbra/bin/zmjava.*
pcmd:/bin/bash /opt/zimbra/bin/zmlocalconfi.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/zmdailyreport.*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmlogprocess.*
pcmd:/bin/bash /opt/zimbra/bin/zxsuite backup.*
pcmd:sh -c /opt/zimbra/bin/zmantispamct.*
pcmd:/bin/bash /opt/zimbra/bin/zmantispamct.*
pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-lear.*
pcmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavisd -X no_conf_file_writable_check.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/common/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/common/sbin/mysqld --defaults-file=/opt.*
pcmd:/opt/zimbra/common/sbin/amavis.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile.*
pcmd:/opt/zimbra/common/lib/jvm/openjdk-11.0.2-zimbra/bin/java.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*
pcmd:/bin/bash /opt/zimbra/bin/zmconfigdctl .*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmstatuslog .*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatchdog_scrip.*
pcmd:/usr/bin/perl /opt/zimbra/common/bin/swatchdog.*
pcmd:/bin/bash -c find /opt/zimbra.*
pcmd:/opt/zimbra/common/bin/swatchdog --config-file=/opt/zimbra/conf/logswatchrc.*
pcmd:/opt/zimbra/common/bin/rotatelogs /opt/zimbra/log/httpd.*
pcmd:/opt/zimbra/common/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.*
pcmd:/opt/zimbra/common/bin/keytool -export -file /opt/zimbra/mailboxd/etc/mailboxd.*
pcmd:/opt/zimbra/common/bin/java -client -cp /opt/zimbra/lib/jars/zimbracommon.*
pcmd:/opt/zimbra/common/bin/java -Dfile.encoding=UTF-8 -server -D.*
pcmd:/opt/zimbra/common/bin/memcached -d -P /opt/zimbra/log/memcached.pid.*
pexe:/opt/zimbra/postfix-.*/libexec/lmtp
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/httpd-.*/bin/httpd
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx
pexe:/opt/zimbra/postfix-.*/libexec/smtp
pexe:/opt/zimbra/common/libexec/smtp.*
pexe:/opt/zimbra/common/lib/jvm/openjdk-.*
pexe:/opt/zimbra/common/libexec/slapd.*
==== csf.conf ====
Use this command to compare stock and modified ''csf.conf'' files:
diff --unchanged-line-format= --old-line-format= --new-line-format='%L' /usr/local/csf/profiles/reset_to_defaults.conf /etc/csf/csf.conf | grep -v \#
:!: This example is for Ubuntu 20.04 with Zimbra 9.
TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2222,7071,10000:10010,20000,24441,59000:59999"
TCP_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,2222,7071,9980"
UDP_IN = "53,123"
UDP_OUT = "53,113,123,33434:33523"
ICMP_IN_RATE = "0"
IPV6 = "1"
TCP6_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2222,7071,10000:10010,20000,24441,59000:59999"
TCP6_OUT = "22,53,80,110,113,143,443,465,587,993,995,2222,7071"
UDP6_IN = "53,123"
UDP6_OUT = "53,113,123,33434:33523"
SYSLOG_CHECK = "600"
DENY_IP_LIMIT = "5000"
DENY_TEMP_IP_LIMIT = "1000"
LF_IPSET = "1"
STYLE_CUSTOM = "1"
SMTP_ALLOWUSER = ""
CONNLIMIT = "80;60,110;10,143;10,443;60,465;10,587;10,993;10,995;10"
PORTFLOOD = "80;tcp;70;5,110;tcp;20;5,143;tcp;20;5,443;tcp;70;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5"
UDPFLOOD_ALLOWUSER = "named,zimbra"
DROP_IP_LOGGING = "1"
DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520,5678"
DROP_PF_LOGGING = "1"
CONNLIMIT_LOGGING = "1"
LF_PERMBLOCK_COUNT = "2"
LF_PERMBLOCK_ALERT = "0"
LF_NETBLOCK = "1"
LF_NETBLOCK_COUNT = "2"
LF_NETBLOCK_ALERT = "0"
SAFECHAINUPDATE = "1"
DYNDNS = "600"
MM_LICENSE_KEY = "xxxxxxxxxxxxxxx"
CC_SRC = "1"
CC_DENY = "RU,BY,CN,AF"
CC_DENY_PORTS_TCP = "21,22,110,143,587,993,995,2222"
CC_DENY_PORTS_UDP = "5060,5061,10000:20000"
CC_INTERVAL = "7"
LF_SELECT = "1"
LF_EMAIL_ALERT = "0"
LF_SSHD_PERM = "600"
LF_FTPD_PERM = "600"
LF_SMTPAUTH_PERM = "600"
LF_POP3D = "5"
LF_POP3D_PERM = "600"
LF_IMAPD = "5"
LF_HTACCESS_PERM = "600"
LF_MODSEC_PERM = "600"
LF_BIND = "100"
LF_BIND_PERM = "600"
LF_SUHOSIN = "5"
LF_SUHOSIN_PERM = "600"
LF_CXS = "1"
LF_WEBMIN = "10"
LF_WEBMIN_PERM = "600"
LF_APACHE_404 = "100"
LF_APACHE_403 = "100"
LF_APACHE_401_PERM = "3600"
LF_MODSECIPDB_ALERT = "0"
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
LF_DISTATTACK = "1"
LF_DISTFTP = "5"
LF_DISTSMTP = "5"
LT_POP3D = "65"
LT_IMAPD = "100"
LT_SKIPPERMBLOCK = "1"
CT_LIMIT = "300"
PT_USERMEM = "200"
PT_USERRSS = "200"
PT_APACHESTATUS = "http://127.0.0.1/server-status"
MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf"
MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"
MESSENGER_HTTPS_IN = ""
MESSENGER_CHILDREN = "10"
MESSENGERV3LOCATION = "/etc/httpd/conf.d/"
MESSENGERV3RESTART = "service httpd restart"
MESSENGERV3HTTPS_CONF = "/etc/httpd/conf/httpd.conf"
MESSENGERV3GROUP = "apache"
CLUSTER_SENDTO = "198.167.189.18,198.167.189.19,198.167.189.20,198.167.189.25,198.167.189.26,198.167.189.28,198.167.189.29,198.167.189.30,143.110.234.14"
CLUSTER_RECVFROM = "198.167.189.18,198.167.189.19,198.167.189.20,198.167.189.25,198.167.189.26,198.167.189.28,198.167.189.29,198.167.189.30,143.110.234.14"
CLUSTER_MASTER = "198.167.189.18"
CLUSTER_KEY = "MyLFDClusterKey"
CLUSTER_CONFIG = "1"
ST_SYSTEM = "0"
IPTABLES = "/usr/sbin/iptables"
IPTABLES_SAVE = "/usr/sbin/iptables-save"
IPTABLES_RESTORE = "/usr/sbin/iptables-restore"
IP6TABLES_SAVE = "/usr/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/usr/sbin/ip6tables-restore"
MODPROBE = "/usr/sbin/modprobe"
IFCONFIG = "/usr/sbin/ifconfig"
SENDMAIL = "/opt/zimbra/common/sbin/sendmail"
PS = "/usr/bin/ps"
NETSTAT = "/usr/bin/netstat"
LS = "/usr/bin/ls"
TAR = "/usr/bin/tar"
GUNZIP = "/usr/bin/gunzip"
DD = "/usr/bin/dd"
GREP = "/usr/bin/grep"
IP = "/usr/sbin/ip"
HTACCESS_LOG = "/var/log/apache2/error_log"
MODSEC_LOG = "/var/log/apache2/error_log"
SSHD_LOG = "/var/log/auth.log"
SU_LOG = "/var/log/syslog"
FTPD_LOG = "/var/log/syslog"
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/mail.log"
IMAPD_LOG = "/var/log/mail.log"
IPTABLES_LOG = "/var/log/syslog"
SUHOSIN_LOG = "/var/log/syslog"
BIND_LOG = "/var/log/syslog"
SYSLOG_LOG = "/var/log/syslog"
WEBMIN_LOG = "/var/log/auth.log"
CUSTOM1_LOG = "/var/log/mail.log"
PORTS_pop3d = "25,110,143,465,587,993,995"
PORTS_imapd = "25,110,143,465,587,993,995"
PORTS_sshd = "22,2222"
GENERIC = "1"