Firewall Configuration

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Firewall Configuration

   KB 1875        Last updated on 2018-05-5  




0.00
(0 votes)

Although the Zimbra Installation instructions tell you install Zimbra on a system without a firewall, you can get Zimbra to work on a system as long as all needed ports are opened on the firewall.

Needed Ports

Standard Zimbra ports

SMTP25tcpPublic
HTTP80tcpshould probably be limited by a firewall to your local network only
POP3110tcpshould probably be limited by a firewall to your local network only
IMAP143tcp should probably be limited by a firewall to your local network only
LDAP389tcpshould probably be limited by a firewall to your local network only
HTTPS443tcpPublic
SMTPS465tcpPublic
SMTP Submission587tcpPublic
IMAPS993tcpPublic
POP3S995tcpPublic
(Admin Interface)7071tcpshould probably be limited by a firewall to your local network only
SOAP Auth7073tcpshould probably be limited by a firewall to your local network only
LMTP7025tcpshould probably be limited by a firewall to your local network only

Cluster Suite Ports (EOL ZCS7)

These would only be used on a zimbra cluster. All of these ports should be limited by a firewall to your local network only. Cluster support ended with ZCS7, so later versions of ZCS can ignore this.

  • rgmanager
    • port 41966/tcp
    • port 41967/tcp
    • port 41968/tcp
    • port 41969/tcp
  • ccsd
    • port 50006/tcp
    • port 50007udp
    • port 50008/tcp
    • port 50009/tcp
  • dlm
    • port 21064/tcp
  • cman
    • port 6809/udp
  • gnbd
    • port 14567/tcp

Example Configuration Files

RedHat Advanced Server

The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.

/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable ssh and snmp
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24
# enable zimbra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24
# enable cluster communications
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809  -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24
# reject everything else
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


add this rule after "ESTABLISHED,RELATED" rule if your network has layer remote 2/3 devices (i mean bridges and/or mpls links) or is simply messy

-A RH-Firewall-1-INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK RST,ACK -j ACCEPT




insert this rules if you want binacle (logs!) i assume that zimbra's hosts don't deliver ips (dhcp server)


-A RH-Firewall-1-INPUT -i lo -j ACCEPT #existing rule,only written for locating

-A RH-Firewall-1-INPUT -d 255.255.255.255 -j DROP

-A RH-Firewall-1-INPUT -d 10.10.3.255 -j DROP

-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP

-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #existing rule,only written for locating




-A RH-Firewall-1-INPUT -j LOG -m limit --limit 10/m --log-prefix "DROP ON INPUT: " --log-tcp-options --log-ip-options --log-level INFO

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited #existing rule,only written for locating COMMIT

Ubuntu

Single Node

Enter this at the command prompt where xxx.xxx.xxx.xxx/yy is your management subnet you wish to allow unfettered access.

ufw allow from xxx.xxx.xxx.xxx/yy
nano /etc/ufw/applications.d/zimbra

Now in the file that you just opened: /etc/ufw/applications.d/zimbra

[Zimbra]

title=Zimbra Collaboration Server

description=Open source server for email, contacts, calendar, and more.

ports=25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071/tcp


Now continue with:

ufw allow Zimbra
ufw enable
ufw status



Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 1/26/2007
Article ID: https://wiki.zimbra.com/index.php?title=Firewall_Configuration Date Modified: 2018-05-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search