Zimbra IP Ports Used: http://wiki.zimbra.com/wiki/Ports

Test Your Firewall: http://scanme.firebind.com/applet.html

Make sure your Zimbra server is working well before implementing a firewall. Suspect the firewall if something stops working or isn't working properly.

http://wiki.zimbra.com/wiki/Firewall_Configuration

Clustering requires additional ports.

Need modify and verify this:

iptables -F                                            #Flush current rules

iptables -I INPUT -p tcp --dport 22 -j ACCEPT          #SSH
iptables -I INPUT -p tcp --dport 25 -j ACCEPT          #SMTP
iptables -I INPUT -p tcp --dport 80 -j ACCEPT          #HTTP (for webmail)
iptables -I INPUT -p tcp --dport 110 -j ACCEPT         #POP3
iptables -I INPUT -p tcp --dport 143 -j ACCEPT         #IMAP
iptables -I INPUT -p tcp --dport 443 -j ACCEPT         #HTTPS
iptables -I INPUT -p tcp --dport 465 -j ACCEPT         #SMTPS
iptables -I INPUT -p tcp --dport 587 -j ACCEPT         #MSA (submission)
iptables -I INPUT -p tcp --dport 993 -j ACCEPT         #IMAPS
iptables -I INPUT -p tcp --dport 995 -j ACCEPT         #POP3S
iptables -I INPUT -p tcp --dport 7071 -j ACCEPT        #Port for ZCS Web Administration

/etc/init.d/iptables save                              #Rules persist after reboot

Unfinished

See also ConfigServer Security & Firewall (CSF)

http://syslint.com/syslint/how-to-configure-zimbra-csf-the-best-zimbra-firewall-configuration/

Reload or restart CSF and LFD for changes to be activated.

RegEx Tester: https://www.regextester.com/

Reference: https://cloudpro.zone/index.php/2018/03/28/csf-lfd-regular-expressions/

Consider this line clipped from /var/log/mail.log:

Sep  4 06:09:43 zimbra3 postfix/smtps/smtpd[585833]: warning: unknown[142.163.55.66]: SASL LOGIN authentication failed: authentication failure

Add a custom RegEx to detect authentication failures (5 failures, block ports 25 and 587, for 3600 seconds):

vim /usr/local/csf/bin/regex.custom.pm

Insert in the middle, between the comments:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ .* postfix\/s.*\/smtpd\[\d+\]: warning: .*\[(\d+\.\d+\.\d+\.\d+)\]: SASL (LOGIN|PLAIN|login) authentication failed.*/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600");
}

$1 matches the offending IP address.

Variants for older log formats:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/[A-Za-z]*?\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Za-z]*? authentication failed.*/)) {
return ("Failed SASL login from",$2,"mysaslmatch","5","25,587","3600");
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","600");
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+:\d+:\d+,\d+\s+\w{4}\s+\[.*oip=(\d+\.\d+\.\d+\.\d+);\]\s+security\s.*invalid password.*/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600");
}

Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:

vim /etc/csf/csf.conf

Change:

CUSTOM1_LOG = "/var/log/mail.log"

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore

192.168.0.0/24 # csf SSH installation/upgrade IP address - Sat Nov  8 14:46:55 2014
10.1.1.9       # NFS backup server
10.1.1.40      # Manually allowed
78.123.35.134  # Manually allowed
49.312.33.99   # Manually allowed

tcp|in|d=25|s=174.37.170.192/27 # GDI Spam Filter Servers
tcp|in|d=25|s=174.36.242.64/27 # GDI Spam Filter Servers
tcp|in|d=25|s=208.43.201.128/27 # GDI Spam Filter Servers
tcp|in|d=25|s=67.225.140.128/26 # GDI Spam Filter Servers
tcp|in|d=25|s=50.201.66.0/24 # GDI Spam Filter Servers

udp|out|d=53|| # Outbound DNS query with random source port

These entries will minimize Process Tracking false alerts (entries for multiple Zimbra versions):

###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login

exe:/usr/sbin/rpcbind
exe:/usr/sbin/rpc.statd
exe:/usr/sbin/chronyd
exe:/usr/bin/lsmd
exe:/usr/bin/dbus-daemon
exe:/opt/zimbra/common/libexec/smtp
exe:/opt/zimbra/common/libexec/proxymap
exe:/opt/zimbra/common/libexec/smtpd
exe:/opt/zimbra/common/libexec/postscreen
exe:/opt/zimbra/common/sbin/nginx
exe:/opt/zimbra/common/libexec/showq
exe:/opt/zimbra/common/libexec/trivial-rewrite
exe:/opt/zimbra/common/libexec/anvil
exe:/opt/zimbra/common/libexec/tlsmgr
exe:/opt/zimbra/common/libexec/qmgr
exe:/opt/zimbra/common/libexec/pickup
exe:/opt/zimbra/common/libexec/cleanup
exe:/opt/zimbra/common/libexec/bounce

cmd:/usr/bin/vmstat -n -S K 30
cmd:/usr/lib/polkit-1/polkitd --no-debug
cmd:/bin/bash /opt/zimbra/bin/zmloggerctl status norewrite
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/bin/bash /opt/zimbra/bin/zmopendkimctl status norewrite
cmd:/bin/bash /opt/zimbra/bin/zmstorectl status norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server
cmd:lmtp -t unix -u
cmd:/opt/zimbra/java/bin/java -version
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogprocess
cmd:/usr/bin/perl /opt/zimbra/bin/zmcontrol status
cmd:/usr/bin/perl /opt/zimbra/libexec/zmstatuslog
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news
cmd:/usr/bin/perl -T -w /opt/zimbra/zimbramon/bin/sa-update -v --allowplugins --refreshmirrors
cmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-update -v --allowplugins --refreshmirrors
cmd:/opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
cmd:/opt/zimbra/common/sbin/clamd --config-file=/opt/zimbra/conf/clamd.conf
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services msg-forwarder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services childproc-minder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services snmp-responder
cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-mc
cmd:nginx: worker process
cmd:nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf
cmd:/opt/zimbra/common/sbin/unbound
cmd:/opt/zimbra/common/bin/mdb_stat -e /opt/zimbra/data/ldap/mdb/db
cmd:/opt/zimbra/common/libexec/slapd -l LOCAL0 -u zimbra -h ldap://zimbra.virtualarchitects.com:389 ldapi:/// -F /opt/zimbra/data/ldap/config
cmd:/opt/zimbra/common/sbin/saslauthd -r -a zimbra
cmd:/opt/zimbra/common/sbin/opendkim -x /opt/zimbra/conf/opendkim.conf -u zimbra
cmd:/opt/zimbra/common/libexec/scache
cmd:/opt/zimbra/common/bin/java -version
cmd:/bin/bash /opt/zimbra/bin/zmhostname
cmd:/bin/bash /opt/zimbra/bin/zmlocalconfig -m nokey zimbra_server_hostname
cmd:/bin/bash /opt/zimbra/bin/zmantispamctl status

pcmd:sh -c /opt/zimbra/bin/zmantivirusctl.*
pcmd:/bin/bash /opt/zimbra/bin/zmantivirusctl.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/libexec/sa-learn.*
pcmd:/bin/bash /opt/zimbra/bin/zmjava.*
pcmd:/bin/bash /opt/zimbra/bin/zmlocalconfi.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/zmdailyreport.*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmlogprocess.*
pcmd:sh -c /opt/zimbra/bin/zmantispamct.*
pcmd:/bin/bash /opt/zimbra/bin/zmantispamct.*
pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-lear.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/common/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/common/sbin/mysqld --defaults-file=/opt.*
pcmd:/opt/zimbra/common/sbin/amavis.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*
pcmd:/bin/bash /opt/zimbra/bin/zmconfigdctl .*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmstatuslog .*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatchdog_scrip.*
pcmd:/usr/bin/perl /opt/zimbra/common/bin/swatchdog.*
pcmd:/opt/zimbra/common/bin/swatchdog --config-file=/opt/zimbra/conf/logswatchrc.*
pcmd:/opt/zimbra/common/bin/rotatelogs /opt/zimbra/log/httpd.*
pcmd:/opt/zimbra/common/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.*
pcmd:/opt/zimbra/common/bin/java -client -cp /opt/zimbra/lib/jars/zimbracommon.*
pcmd:/opt/zimbra/common/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless.*
pcmd:/opt/zimbra/common/bin/memcached -d -P /opt/zimbra/log/memcached.pid.*

pexe:/opt/zimbra/postfix-.*/libexec/lmtp
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/httpd-.*/bin/httpd
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx
pexe:/opt/zimbra/postfix-.*/libexec/smtp
pexe:/opt/zimbra/common/libexec/smtp.*

Use this command to compare stock and modified csf.conf files:

diff --unchanged-line-format= --old-line-format= --new-line-format='%L' /root/csf/csf.conf /etc/csf/csf.conf | grep -v \#

TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "22,25,80,110,143,443,465,587,993,995,5222:5223,7071,8443"
TCP_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,7071"
UDP_IN = "53,123"
UDP_OUT = "53,113,123,33434:33523"
IPV6 = "1"
TCP6_IN = "22,25,80,110,143,443,465,587,993,995,2222,5222:5223,7071,8443"
TCP6_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,2222,7071"
UDP6_IN = "53,123"
UDP6_OUT = "53,113,123,33434:33523"
USE_CONNTRACK = "1"
SYSLOG_CHECK = "600"
DENY_IP_LIMIT = "1000"
DENY_TEMP_IP_LIMIT = "1000"
LF_IPSET = "1"
STYLE_CUSTOM = "1"
SMTP_ALLOWUSER = ""
SYNFLOOD = "1"
CONNLIMIT = "80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5"
PORTFLOOD = "80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5"
DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520"
CONNLIMIT_LOGGING = "1"
LF_PERMBLOCK_COUNT = "2"
LF_NETBLOCK = "1"
SAFECHAINUPDATE = "1"
DYNDNS = "600"
LF_SELECT = "1"
LF_EMAIL_ALERT = "0"
LF_SSHD_PERM = "600"
LF_FTPD_PERM = "600"
LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "600"
LF_POP3D_PERM = "600"
LF_IMAPD_PERM = "600"
LF_HTACCESS_PERM = "600"
LF_MODSEC_PERM = "600"
LF_BIND = "100"
LF_BIND_PERM = "600"
LF_SUHOSIN = "5"
LF_SUHOSIN_PERM = "600"
LF_CXS = "1"
LF_WEBMIN = "10"
LF_WEBMIN_PERM = "600"
LF_WEBMIN_EMAIL_ALERT = "0"
LF_CONSOLE_EMAIL_ALERT = "0"
LF_APACHE_404 = "100"
LF_APACHE_403 = "100"
LF_DISTATTACK = "1"
LF_DISTFTP = "5"
LF_DISTSMTP = "5"
LT_POP3D = "65"
LT_IMAPD = "100"
LT_SKIPPERMBLOCK = "1"
CT_LIMIT = "300"
PT_USERMEM = "200"
PT_USERRSS = "200"
PT_APACHESTATUS = "http://127.0.0.1/server-status"
MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf"
MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"
ST_SYSTEM = "0"
SENDMAIL = "/opt/zimbra/common/sbin/sendmail"
HTACCESS_LOG = "/var/log/httpd/error_log"
MODSEC_LOG = "/var/log/httpd/error_log"
SMTPAUTH_LOG = "/var/log/secure"
CUSTOM1_LOG = "/var/log/maillog"
GENERIC = "1"