Securing Zimbra email server should be the first priority from the start. For some reason, Zimbra recommends installing it without firewall. Doing so, might result to compromised server. Zimbra works perfectly with firewalls as long as ports required by Zimbra as well as ports required for server functionality are open.
Zimbra security hardening using iptables
Here is commented iptables /etc/sysconfig/iptables configuration file for Zimbra server. It should take care of blocking some common threads as well as making Zimbra server more secure. You can copy & edit & paste the rule set. Please remove “iptables” from each line.
The configuration does for example the following:
- Drops all but essential traffic.
- Allows Zimbra admin console access only from LAN and your IP.
- Checks incoming packets and filters out invalid traffic.
- Creates some protection against common attacks.
(Please note, paths / commands are shown as on CentOS 7. If you are using other distro, paths / commands might need to be modified. however, functionality should be the same.)
Please remember to replace MY.IP.ADDRESS (# ALLOW SSH FROM OWN IP and # ALLOW PORT ZIMBRA ADMIN PORT) with your IP(s) and remember to change SSH port number (# ALLOW SSH FROM OWN IP and # LIMIT NUMBER OF SSH CONNNECTIONS) – if you are not using the standard SSH port (which you should not be using).
CSF makes it easy to manage firewall rules, but in some cases it is reasonable to configure iptables directly. That is the case with Zimbra email server. However, you might still want use CSF. In a such situation, you need to create /etc/csf/csfpre.sh pre script to add custom iptables rules with CSF. If you use this file with CSF, please remove or #comment the first (*filter) and the last (COMMIT) line and DO NOT remove “iptables” from the beginning of the each line.
*filter # CHANGE CHAIN'S DEFAULT POLICY TO DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ADD NEW CHAIN SSHATTACK iptables -N SSHATTACK # ALLOW SSH FROM OWN IP CHANGE IP !!! iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS1/32 --dport 22 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS1/32 --sport 22 -j ACCEPT iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS2/32 --dport 22 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS2/32 --sport 22 -j ACCEPT # VERIFY NEW INCOMING TCP CONNECTIONS ARE SYN PACKETS IF NOT DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # DROP PACKETS WITH INCOMING FRAGMENTS AVOID SERVER PANIC iptables -A INPUT -f -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # DROP AND LOG MALFORMED XMAS PACKETS iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets " iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # DROP AND LOG NULL PACKETS iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets " iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # DROP AND LOG FIN PACKET SCANS iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan " iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # DROP AND LOG BROADCAST, MULTICAST AND INVALID iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast " iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP iptables -A INPUT -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast " iptables -A INPUT -m pkttype --pkt-type multicast -j DROP iptables -A INPUT -m state --state INVALID -j LOG --log-prefix " Invalid " iptables -A INPUT -m state --state INVALID -j DROP #REJECT CONNECTIONS ABOVE 30 FROM ONE SOURCE IP iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with tcp-reset # ALLOW 150 NEW CONNECTIONS (PACKETS) PER SECOND iptables -A INPUT -m state --state ESTABLISHED,RELATED -m limit --limit 150/second --limit-burst 160 -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # LIMIT NUMBER OF SSH CONNNECTIONS CHANGE SSH PORT NUMBER !!! iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name DEFAULT --rsource iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j SSHATTACK # ALLOW UNLIMIT INTERFACE LO LOOPBACK CONNECTIONS iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # ALLOW ICMP PING iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT # ALLOW NTP TO NTP SERVER iptables -A OUTPUT -m tcp -p tcp --dport 123 -j ACCEPT iptables -A OUTPUT -m udp -p udp --dport 123 -j ACCEPT # ALLOW OUTPUT DNS PORT 53 iptables -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -m udp -p udp --dport 53 -j ACCEPT # ALLOW PORT SMTP 25 iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --sport 25 -j ACCEPT iptables -A INPUT -m tcp -p tcp --sport 25 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --dport 25 -j ACCEPT # ALLOW PORT HTTP 80 iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --sport 80 -j ACCEPT iptables -A INPUT -m tcp -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT # ALLOW POP3 110 iptables -A INPUT -m tcp -p tcp --dport 110 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --sport 110 -j ACCEPT iptables -A INPUT -m tcp -p tcp --sport 110 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --dport 110 -j ACCEPT # ALLOW IMAP - 143 iptables -A INPUT -m tcp -p tcp --dport 143 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --sport 143 -j ACCEPT iptables -A INPUT -m tcp -p tcp --sport 143 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --dport 143 -j ACCEPT # ALLOW HTTPS - 443 iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --sport 443 -j ACCEPT iptables -A INPUT -m tcp -p tcp --sport 443 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT # ALLOW SMTPS 465, 587 iptables -A INPUT -m tcp -p tcp --match multiport --dports 465,587 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --match multiport --sports 465,587 -j ACCEPT iptables -A INPUT -m tcp -p tcp --match multiport --sports 465,587 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --match multiport --dports 465,587 -j ACCEPT #ALLOW PORT IMAPS - 993 ############################## #iptables -A INPUT -m tcp -p tcp --dport 993 -j ACCEPT #iptables -A OUTPUT -m tcp -p tcp --sport 993 -j ACCEPT #iptables -A INPUT -m tcp -p tcp --sport 993 -j ACCEPT #iptables -A OUTPUT -m tcp -p tcp --dport 993 -j ACCEPT iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT # ALLOW PORT POP3S - 995 iptables -A INPUT -m tcp -p tcp --dport 995 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --sport 995 -j ACCEPT iptables -A INPUT -m tcp -p tcp --sport 995 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp --dport 995 -j ACCEPT # ALLOW PORT ZIMBRA ADMIN PORT iptables -A INPUT -m tcp -p tcp -s 127.0.0.1 --dport 7071 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp -d 127.0.0.1 --sport 7071 -j ACCEPT iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS1 --dport 7071 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS1 --sport 7071 -j ACCEPT iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS2 --dport 7071 -j ACCEPT iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS2 --sport 7071 -j ACCEPT # DROP ALL OTHER SSH CONNECTION iptables -A INPUT -m tcp -p tcp --dport 22 -j DROP # DEFAULT REJECT RULE iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited # DROP AND LOG SSHATTACK iptables -A SSHATTACK -j LOG --log-prefix "SSH Attack! " --log-level 7 iptables -A SSHATTACK -j DROP # ALLOW UDP 67 AND 68 DHCP SERVER iptables -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT iptables -A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT # ALLOW UDP 67 AND 68 DHCP CLIENT iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT iptables -A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT # ALLOW ESTABLISHED AND RELATED CONNECTIONS INCOMING iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # ALLOW ESTABLISHED AND RELATED CONNECTIONS OUTGOING iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # ALLOW INTERNAL TO EXTERNAL NETWORK iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT COMMIT
Please note, if you are going to copy & edit & paste (not just copy & paste!) this iptables firewall configuration for Zimbra, go through each line and make sure that you will understand what it does before applying the rules. It is essential that you understand what you are doing or you can get locked out or leave serious vulnerabilities. The author takes no responsibility if you use this file as it is. Use the following command to view iptables help.
iptables -h
Please note, this is far from the perfect configuration, however it should be a good start to give more than basic protecting for newly installed Zimbra email server. You should edit / add / remove rules as per your needs. For example, it is recommended to allow only secure email protocols (SMTPS, IMPAS and POP3S). Therefore you might want disable SMTP, POP3 and IMAP ports.
You should also secure Zimbra server using it’s internal DDoS protection as well as limiting number of incoming/outgoing emails at account level and enforcing strong passwords, strict failed logins account lockout and 2FA.
Managed Zimbra email server
In many cases, it is more effective to outsource Zimbra server management than use countless hours on system administration tasks. Mailabler offers reasonable priced fully managed Zimbra email servers with various locations, including Switzerland, Moscow, London, USA and Finland. Managed email servers includes also security hardening. Mailabler is part of the company managed by the author.