Scribd
Upload
118 views

Security Best Practices

This document discusses security best practices for a Zimbra installation including: 1. Using the F1 Scrollout open source email gateway for antivirus and antispam filtering instead of Zimbra's built-in features for increased flexibility and power. 2. Configuring a Let's Encrypt SSL certificate for encrypted communication with Zimbra. 3. Setting firewall rules with iptables to only allow necessary ports and whitelist the Scrollout server, and using Fail2ban to block brute force attacks.

Uploaded by

Orangepunk
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
118 views

Security Best Practices

This document discusses security best practices for a Zimbra installation including: 1. Using the F1 Scrollout open source email gateway for antivirus and antispam filtering instead of Zimbra's built-in features for increased flexibility and power. 2. Configuring a Let's Encrypt SSL certificate for encrypted communication with Zimbra. 3. Setting firewall rules with iptables to only allow necessary ports and whitelist the Scrollout server, and using Fail2ban to block brute force attacks.

Uploaded by

Orangepunk
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

7- Security Best Practices :

 F1 Scrollout ( Anti-Virus | Anti-Spam )


 Configuring Let’s Encrypt for SSL Certificate
 Firewall Rules and Fail2ban
 Password Policy
1- F1 Scrollout:
 It is Open Source Email Gateway based on Debian with the ability to filter all Incoming and Outgoing
Mails from/to Zimbra.
 Why not using the Built-In Anti-Spam features of Zimbra ?.
1- Because the Built-In features of Zimbra are not powerful as F1 Scrollout.
2- Zimbra updates the ClamAV by updating the whole release of the Zimbra Version , which means that we
MUST wait Zimbra for next Release Version so that we can get the latest version of the Anti-Virus.
3- We can not upgrade SpamAssassin except we upgrade the whole version of Zimbra.
 Why using F1-Scrollout ?.
1- Using External Anti-Virus and Anti-Spam Gateway “F1-Scrollout” will be more flexible and Powerful.
2- F1-Scrollout can offer DKIM Signing for Verification and SPF Verification.
3- Protection against executable files, malicious content, scripts and more.
4- Simple web interface with guidelines.
5- All features in this Link “ http://www.scrolloutf1.com/ “
1- F1 Scrollout:
 Topology for this setup will be as below :
 We will Create MX Record to Point to the Scrollout IP Address.
 A and PTR Record will be created normally to Point to the IP Address of
Zimbra Server.
 In Scrollout Web Interface we Just add Domain-Name to Point to The IP Adress
of Zimbra “ Which hosts this particular domain ”.
 We can add Multiple Domains Pointing to one particular Zimbra Address.
1- F1 Scrollout:
 Installing F1-Scrollout on Debian 8 Minimal Server Installation :
# cd /tmp
# wget http://sourceforge.net/projects/scrollout/files/update/scrolloutf1.tar/download -O scrolloutf1.tar
# tar -xvf scrolloutf1.tar
# chmod 755 /tmp/scrolloutf1/www/bin/*
# /tmp/scrolloutf1/www/bin/install.sh
2- Configuring SSL Certificate:

 Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.
 We will use Let’s Encrypt to create and renew the signed certificate.
 Zimbra will use this Certificate for any kind of connection “ Web Mail and Mail Client “.
 Using Signed Certificate will help to send an encrypted message from Zimbra.
2- Configuring SSL Certificate:
 Stop Nginx Proxy service and Mailboxd
# zmproxyctl stop
# zmmailboxdctl stop
 Install GIT and Let's Encrypt Project
# yum install git -y
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt
 Create SSL Certificate
# ./letsencrypt-auto certonly --standalone -d mail.linuxdirection.com
 Build the CA and RootCA , To Create it we must to use the IdenTrust root Certificate and chain.pem has
to be concatenated with the root CA. First the chain and the end of the file the root CA from this URL
https://www.identrust.com/certificates/trustid/root-download-x3.html
2- Configuring SSL Certificate:
 Integrate the CA with Zimbra
# mkdir /opt/zimbra/ssl/letsencrypt
 Copy all the Let's Encrypt folder
# cp /etc/letsencrypt/live/mail.linuxdirection.com/* /opt/zimbra/ssl/letsencrypt/
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
 verify the Certificate
# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
 Before the Deployment , Copy we need to backup the built in Zimbra Certificate
# cp -a /opt/zimbra/ssl/zimbra /mnt
 Move the privkey.pem under the Zimbra SSL commercial path
# cp /opt/zimbra/ssl/letsencrypt/privkey.pem
/opt/zimbra/ssl/zimbra/commercial/commercial.key
 The Deployment
# /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
# su - zimbra -c "zmcontrol restart"
3-Firewall Rules and Fail2ban:

 We are using Zimbra 8.6 installed on CentOS 7 so we will use iptables to control all ports of
Zimbra
 Highly Recommended to just open the needed ports and not any other ports
 We will need to open the ports of these services “ DNS , HTTPS , IMAPS , SMTP “ and
7071 , 8443 “ for Web Admin and Admin Management Interface.
 And Whitelist the IP Address of Scrollout Server
 We will use the this command :
# iptables -A INPUT -p tcp --dport 7071 --dport 8443 --dport 443 –j ACCEPT
# iptables -A INPUT –s SCROLLOUT_IP –j ACCEPT
# iptables -A INPUT –d SCROLLOUT_IP –j ACCEPT
 To Verify :
# iptables -L
3-Firewall Rules and Fail2ban:

 Fail2ban Complements the Security Policies of Zimbra, Blocking any IP Address


Generates brute force attack to any mailbox or SSH service.
 So Fail2Ban is used for protection against high number of repeated wrong access attempts.
 It integrates with the firewalld to control any Source IP Address
 Installation is very simple :
# yum install –y fail2ban
# systemctl enable fail2ban
# systemctl start fail2ban

You might also like