This page could probably use a review and updating.

Zimbra IP Ports Used: http://wiki.zimbra.com/wiki/Ports

Test Your Firewall: http://scanme.firebind.com/applet.html

Make sure your Zimbra server is working well before implementing a firewall. Suspect the firewall if something stops working or isn't working properly.

http://wiki.zimbra.com/wiki/Firewall_Configuration

Clustering requires additional ports.

This example was from an older CentOS installation.

iptables -F                                            #Flush current rules

iptables -I INPUT -p tcp --dport 22 -j ACCEPT          #SSH
iptables -I INPUT -p tcp --dport 25 -j ACCEPT          #SMTP
iptables -I INPUT -p tcp --dport 80 -j ACCEPT          #HTTP (for webmail)
iptables -I INPUT -p tcp --dport 110 -j ACCEPT         #POP3
iptables -I INPUT -p tcp --dport 143 -j ACCEPT         #IMAP
iptables -I INPUT -p tcp --dport 443 -j ACCEPT         #HTTPS
iptables -I INPUT -p tcp --dport 465 -j ACCEPT         #SMTPS
iptables -I INPUT -p tcp --dport 587 -j ACCEPT         #MSA (submission)
iptables -I INPUT -p tcp --dport 993 -j ACCEPT         #IMAPS
iptables -I INPUT -p tcp --dport 995 -j ACCEPT         #POP3S
iptables -I INPUT -p tcp --dport 7071 -j ACCEPT        #Port for ZCS Web Administration

/etc/init.d/iptables save                              #Rules persist after reboot

See also ConfigServer Security & Firewall (CSF)

http://syslint.com/syslint/how-to-configure-zimbra-csf-the-best-zimbra-firewall-configuration/

Reload or restart CSF and LFD for changes to be activated (csf -ra).

RegEx Tester: https://www.regex101.com/

Reference: https://cloudpro.zone/index.php/2018/03/28/csf-lfd-regular-expressions/

Consider these lines clipped from /var/log/mail.log:

Oct  2 08:18:04 zimbra3 postfix/submission/smtpd[3670673]: warning: unknown[93.177.75.130]: SASL LOGIN authentication failed: authentication failure
Oct  5 14:27:13 zimbra3 postfix/smtps/smtpd[3656293]: warning: unknown[102.164.206.139]: SASL PLAIN authentication failed: authentication failure

Add a custom RegEx to detect authentication failures (5 failures, block ports 25 and 587, for 3600 seconds/1 hour):

vim /usr/local/csf/bin/regex.custom.pm

Insert in the middle, between the comments:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ .* postfix\/s.*\/smtpd\[\d+\]: warning: .*\[(\d+\.\d+\.\d+\.\d+)\]: SASL (LOGIN|PLAIN|login) authentication failed.*/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600");
}

Group 1 ($1) matches the offending IP address.

Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:

vim /etc/csf/csf.conf

Change:

CUSTOM1_LOG = "/var/log/mail.log"

This example is for Ubuntu 20.04 and Zimbra 9.

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore

192.168.1.0/24 # LAN network address
10.1.1.9       # NFS backup server
10.1.1.40      # Manually allowed
78.123.35.134  # Manually allowed
49.312.33.99   # Manually allowed

tcp|in|d=25|s=74.37.170.192/27  # Spam Filter Servers
tcp|in|d=25|s=74.36.242.64/27   # Spam Filter Servers
tcp|in|d=25|s=108.43.201.128/27 # Spam Filter Servers
tcp|in|d=25|s=57.225.140.128/26 # Spam Filter Servers
tcp|in|d=25|s=40.201.66.0/24    # Spam Filter Servers

udp|out|d=53|| # Outbound DNS query with random source port

# Zimbra Zextras Docs Server
tcp|in|d=389|s=98.167.189.29   # Allow LDAP from Zimbra Zextras Docs
tcp|in|d=8443|s=98.167.189.29  # Allow from Zimbra Zextras Docs
tcp|out|d=9980|d=98.167.189.29 # Allow to Zimbra Zextras Docs

# LDAP Testing
tcp|in|d=389|s=192.168.1.46    # Allow LDAP from a workstation

This example is for Ubuntu 20.04 with Zimbra 9.

These entries will minimize Process Tracking false alerts (entries for multiple Zimbra versions):

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/lib/postfix/sbin/error

exe:/usr/lib/apt/methods/http
exe:/usr/sbin/rpcbind
exe:/usr/sbin/rpc.statd
exe:/usr/sbin/chronyd
exe:/usr/bin/lsmd
exe:/usr/bin/dbus-daemon
exe:/opt/zimbra/common/libexec/smtp
exe:/opt/zimbra/common/libexec/proxymap
exe:/opt/zimbra/common/libexec/smtpd
exe:/opt/zimbra/common/libexec/postscreen
exe:/opt/zimbra/common/sbin/nginx
exe:/opt/zimbra/common/libexec/showq
exe:/opt/zimbra/common/libexec/trivial-rewrite
exe:/opt/zimbra/common/libexec/anvil
exe:/opt/zimbra/common/libexec/tlsmgr
exe:/opt/zimbra/common/libexec/qmgr
exe:/opt/zimbra/common/libexec/pickup
exe:/opt/zimbra/common/libexec/cleanup
exe:/opt/zimbra/common/libexec/bounce
exe:/opt/zimbra/common/libexec/scache

cmd:/usr/bin/vmstat -n -S K 30
cmd:/usr/lib/polkit-1/polkitd --no-debug
cmd:/bin/bash /opt/zimbra/bin/zmloggerctl status norewrite
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/bin/bash /opt/zimbra/bin/zmopendkimctl status norewrite
cmd:/bin/bash /opt/zimbra/bin/zmstorectl status norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server
cmd:lmtp -t unix -u
cmd:/opt/zimbra/java/bin/java -version
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogprocess
cmd:/usr/bin/perl /opt/zimbra/bin/zmcontrol status
cmd:/usr/bin/perl /opt/zimbra/libexec/zmstatuslog
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news
cmd:/usr/bin/perl -T -w /opt/zimbra/zimbramon/bin/sa-update -v --allowplugins --refreshmirrors
cmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-update -v --allowplugins --refreshmirrors
cmd:/opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
cmd:/opt/zimbra/common/sbin/clamd --config-file=/opt/zimbra/conf/clamd.conf
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services msg-forwarder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services childproc-minder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services snmp-responder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-mc
cmd:nginx: worker process
cmd:nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf
cmd:/opt/zimbra/common/sbin/unbound
cmd:/opt/zimbra/common/bin/mdb_stat -e /opt/zimbra/data/ldap/mdb/db
cmd:/opt/zimbra/common/libexec/slapd -l LOCAL0 -u zimbra -h ldap://zimbra.virtualarchitects.com:389 ldapi:/// -F /opt/zimbra/data/ldap/config
cmd:/opt/zimbra/common/sbin/saslauthd -r -a zimbra
cmd:/opt/zimbra/common/sbin/opendkim -x /opt/zimbra/conf/opendkim.conf -u zimbra
cmd:/opt/zimbra/common/libexec/scache
cmd:/opt/zimbra/common/bin/java -version
cmd:/bin/bash /opt/zimbra/bin/zmhostname
cmd:/bin/bash /opt/zimbra/bin/zmlocalconfig -m nokey zimbra_server_hostname
cmd:/bin/bash /opt/zimbra/bin/zmantispamctl status
cmd:/bin/bash /opt/zimbra/bin/zmmilterctl status
cmd:/usr/bin/redis-server 127.0.0.1:0

cmd:/usr/sbin/rsyslogd -n -iNONE
cmd:(sd-pam)
cmd:/usr/sbin/atd -f
cmd:/lib/systemd/systemd-timesyncd
cmd:/lib/systemd/systemd-networkd
cmd:/lib/systemd/systemd --user
cmd:/bin/bash /opt/zimbra/bin/zmmtactl status norewrite

pcmd:/usr/bin/perl /opt/zimbra/libexec/auditswatch.*
pcmd:sh -c /opt/zimbra/bin/zmantivirusctl.*
pcmd:/bin/bash /opt/zimbra/bin/zmantivirusctl.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/libexec/sa-learn.*
pcmd:/bin/bash /opt/zimbra/bin/zmjava.*
pcmd:/bin/bash /opt/zimbra/bin/zmlocalconfi.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/zmdailyreport.*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmlogprocess.*
pcmd:/bin/bash /opt/zimbra/bin/zxsuite backup.*
pcmd:sh -c /opt/zimbra/bin/zmantispamct.*
pcmd:/bin/bash /opt/zimbra/bin/zmantispamct.*
pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-lear.*
pcmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavisd -X no_conf_file_writable_check.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/common/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/common/sbin/mysqld --defaults-file=/opt.*
pcmd:/opt/zimbra/common/sbin/amavis.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile.*
pcmd:/opt/zimbra/common/lib/jvm/openjdk-11.0.2-zimbra/bin/java.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*
pcmd:/bin/bash /opt/zimbra/bin/zmconfigdctl .*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmstatuslog .*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatchdog_scrip.*
pcmd:/usr/bin/perl /opt/zimbra/common/bin/swatchdog.*
pcmd:/bin/bash -c find /opt/zimbra.*
pcmd:/opt/zimbra/common/bin/swatchdog --config-file=/opt/zimbra/conf/logswatchrc.*
pcmd:/opt/zimbra/common/bin/rotatelogs /opt/zimbra/log/httpd.*
pcmd:/opt/zimbra/common/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.*
pcmd:/opt/zimbra/common/bin/keytool -export -file /opt/zimbra/mailboxd/etc/mailboxd.*
pcmd:/opt/zimbra/common/bin/java -client -cp /opt/zimbra/lib/jars/zimbracommon.*
pcmd:/opt/zimbra/common/bin/java -Dfile.encoding=UTF-8 -server -D.*
pcmd:/opt/zimbra/common/bin/memcached -d -P /opt/zimbra/log/memcached.pid.*

pexe:/opt/zimbra/postfix-.*/libexec/lmtp
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/httpd-.*/bin/httpd
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx
pexe:/opt/zimbra/postfix-.*/libexec/smtp
pexe:/opt/zimbra/common/libexec/smtp.*
pexe:/opt/zimbra/common/lib/jvm/openjdk-.*
pexe:/opt/zimbra/common/libexec/slapd.*

Use this command to compare stock and modified csf.conf files:

diff --unchanged-line-format= --old-line-format= --new-line-format='%L' /usr/local/csf/profiles/reset_to_defaults.conf /etc/csf/csf.conf | grep -v \#

This example is for Ubuntu 20.04 with Zimbra 9.

TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2222,7071,10000:10010,20000,24441,59000:59999"
TCP_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,2222,7071,9980"
UDP_IN = "53,123"
UDP_OUT = "53,113,123,33434:33523"
ICMP_IN_RATE = "0"
IPV6 = "1"
TCP6_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2222,7071,10000:10010,20000,24441,59000:59999"
TCP6_OUT = "22,53,80,110,113,143,443,465,587,993,995,2222,7071"
UDP6_IN = "53,123"
UDP6_OUT = "53,113,123,33434:33523"
SYSLOG_CHECK = "600"
DENY_IP_LIMIT = "5000"
DENY_TEMP_IP_LIMIT = "1000"
LF_IPSET = "1"
STYLE_CUSTOM = "1"
SMTP_ALLOWUSER = ""
CONNLIMIT = "80;60,110;10,143;10,443;60,465;10,587;10,993;10,995;10"
PORTFLOOD = "80;tcp;70;5,110;tcp;20;5,143;tcp;20;5,443;tcp;70;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5"
UDPFLOOD_ALLOWUSER = "named,zimbra"
DROP_IP_LOGGING = "1"
DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520,5678"
DROP_PF_LOGGING = "1"
CONNLIMIT_LOGGING = "1"
LF_PERMBLOCK_COUNT = "2"
LF_PERMBLOCK_ALERT = "0"
LF_NETBLOCK = "1"
LF_NETBLOCK_COUNT = "2"
LF_NETBLOCK_ALERT = "0"
SAFECHAINUPDATE = "1"
DYNDNS = "600"
MM_LICENSE_KEY = "xxxxxxxxxxxxxxx"
CC_SRC = "1"
CC_DENY = "RU,BY,CN,AF"
CC_DENY_PORTS_TCP = "21,22,110,143,587,993,995,2222"
CC_DENY_PORTS_UDP = "5060,5061,10000:20000"
CC_INTERVAL = "7"
LF_SELECT = "1"
LF_EMAIL_ALERT = "0"
LF_SSHD_PERM = "600"
LF_FTPD_PERM = "600"
LF_SMTPAUTH_PERM = "600"
LF_POP3D = "5"
LF_POP3D_PERM = "600"
LF_IMAPD = "5"
LF_HTACCESS_PERM = "600"
LF_MODSEC_PERM = "600"
LF_BIND = "100"
LF_BIND_PERM = "600"
LF_SUHOSIN = "5"
LF_SUHOSIN_PERM = "600"
LF_CXS = "1"
LF_WEBMIN = "10"
LF_WEBMIN_PERM = "600"
LF_APACHE_404 = "100"
LF_APACHE_403 = "100"
LF_APACHE_401_PERM = "3600"
LF_MODSECIPDB_ALERT = "0"
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
LF_DISTATTACK = "1"
LF_DISTFTP = "5"
LF_DISTSMTP = "5"
LT_POP3D = "65"
LT_IMAPD = "100"
LT_SKIPPERMBLOCK = "1"
CT_LIMIT = "300"
PT_USERMEM = "200"
PT_USERRSS = "200"
PT_APACHESTATUS = "http://127.0.0.1/server-status"
MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf"
MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"
MESSENGER_HTTPS_IN = ""
MESSENGER_CHILDREN = "10"
MESSENGERV3LOCATION = "/etc/httpd/conf.d/"
MESSENGERV3RESTART = "service httpd restart"
MESSENGERV3HTTPS_CONF = "/etc/httpd/conf/httpd.conf"
MESSENGERV3GROUP = "apache"
CLUSTER_SENDTO = "198.167.189.18,198.167.189.19,198.167.189.20,198.167.189.25,198.167.189.26,198.167.189.28,198.167.189.29,198.167.189.30,143.110.234.14"
CLUSTER_RECVFROM = "198.167.189.18,198.167.189.19,198.167.189.20,198.167.189.25,198.167.189.26,198.167.189.28,198.167.189.29,198.167.189.30,143.110.234.14"
CLUSTER_MASTER = "198.167.189.18"
CLUSTER_KEY = "MyLFDClusterKey"
CLUSTER_CONFIG = "1"
ST_SYSTEM = "0"
IPTABLES = "/usr/sbin/iptables"
IPTABLES_SAVE = "/usr/sbin/iptables-save"
IPTABLES_RESTORE = "/usr/sbin/iptables-restore"
IP6TABLES_SAVE = "/usr/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/usr/sbin/ip6tables-restore"
MODPROBE = "/usr/sbin/modprobe"
IFCONFIG = "/usr/sbin/ifconfig"
SENDMAIL = "/opt/zimbra/common/sbin/sendmail"
PS = "/usr/bin/ps"
NETSTAT = "/usr/bin/netstat"
LS = "/usr/bin/ls"
TAR = "/usr/bin/tar"
GUNZIP = "/usr/bin/gunzip"
DD = "/usr/bin/dd"
GREP = "/usr/bin/grep"
IP = "/usr/sbin/ip"
HTACCESS_LOG = "/var/log/apache2/error_log"
MODSEC_LOG = "/var/log/apache2/error_log"
SSHD_LOG = "/var/log/auth.log"
SU_LOG = "/var/log/syslog"
FTPD_LOG = "/var/log/syslog"
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/mail.log"
IMAPD_LOG = "/var/log/mail.log"
IPTABLES_LOG = "/var/log/syslog"
SUHOSIN_LOG = "/var/log/syslog"
BIND_LOG = "/var/log/syslog"
SYSLOG_LOG = "/var/log/syslog"
WEBMIN_LOG = "/var/log/auth.log"
CUSTOM1_LOG = "/var/log/mail.log"
PORTS_pop3d = "25,110,143,465,587,993,995"
PORTS_imapd = "25,110,143,465,587,993,995"
PORTS_sshd = "22,2222"
GENERIC = "1"