ZimbraReverseProxyStrictServerNameEnabled

Prevent Host header injection vulnerability in Zimbra

This is an old issue but Zimbra installations can have a very long life span, in addition it is a good precaution to validate your configuration, just in case. Zimbra Proxy has the ability to strictly enforce which values are allowed in the Host header passed in by the client.

This is enabled by default on new installations but left disabled for upgrades from previous versions unless toggled during the installation.

The functionality may be altered by setting the zimbraReverseProxyStrictServerNameEnabled boolean configuration option followed by restarting the proxy server.

  • TRUE – strict server name enforcement enabled
  • FALSE – strict server name enforcement disabled
zmprov mcf zimbraReverseProxyStrictServerNameEnabled TRUE

When the strict server name functionality is enabled, additional valid server names may be specified using the zimbraVirtualHostName and zimbraVirtualIPAddress configuration items at the domain level.

zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 1.2.3.4

Only one virtual ip address is needed per domain although more than one is acceptable.

In case you have pointed multiple DNS domain names to your Zimbra server, all these domains must be configured as Zimbra Virtual Hosts. If you set zimbraReverseProxyStrictServerNameEnabled to true, Zimbra will show an error 400 page for any domains not configured in Zimbra. It will also prevent others from making rogue reverse proxies on domains out of your control.

Without changing anything you can validate your configuration using:

zmprov gacf | grep -i zimbraReverseProxyStrictServerNameEnabled
zmprov gs `zmhostname` | grep -i zimbraReverseProxyStrictServerNameEnabled

Further reading

Jump to: navigation, search