Zimbra Firewall Configuration with Ufw & Firewalld

Posted on 34 views

In this guide, we’re going to look at how to secure your Zimbra collaborative suite on CentOS 7, Debian and Ubuntu server using Firewalld and Ufw respectively. If your server is running CentOS 6.x, you can use UFW or raw iptables commands for it, but the port numbers remain the same.

Installing UFW on Ubuntu and CentOS

Install UFW on Ubuntu using the commands:

sudo apt-get update && sudo apt-get -y install ufw

For CentOS, the ufw package is available on EPEL repositories, add it as below:

sudo yum -y install epel-release
sudo yum makecache fast
sudo yum -y install ufw

Installing Firewalld on CentOS / Fedora / RHEL

If your CentOS doesn’t ship with firewalld ready, you can install it using the commands:

sudo yum -y install firewalld

Start and enable the firewalld service.

sudo systemctl start firewalld
sudo systemctl enable firewalld

Rember to add your ssh port first so that you don’t get kicked out.

For Debian, check installing Firewalld on Debian

Configure Zimbra Firewall using UFW

Because of recent Memcache amplification attacks for UDP ports, we won’t enable udp port of Memcache on the firewall – port 11211/udp. We’ll only leave tcp port open, which is safe from these attacks. Read more about Memcache Major amplification.

For ufw, we’re going to create an application profile for UFW called Zimbra. So, let’s create this profile as below.

sudo vim /etc/ufw/applications.d/zimbra

Add the following content:

title=Zimbra Collaboration Server
description=Open source server for email, contacts, calendar, and more.

Enable app profile on ufw

sudo ufw allow Zimbra
sudo ufw enable

Add ssh port as well.

sudo ufw allow ssh

If you make any changes to the Zimbra profile, update it using:

$ sudo ufw app update Zimbra
Rules updated for profile 'Zimbra'
Skipped reloading firewall

For a single server installation, Memcache is not used outside the local server. Consider binding it to the loopback ip address. Use the commands:

sudo su - zimbra
zmprov ms zmhostname zimbraMemcachedBindAddress 
zmprov ms zmhostname zimbraMemcachedClientServerList

Then restart Memcached service.

sudo su - zimbra -c "zmmemcachedctl restart"

Configure Zimbra Firewall using Firewalld

For firewalld users, first, confirm that firewalld is in running state.

sudo firewall-cmd --state running

If not running, start it using.

sudo systemctl start firewalld

Then configure Zimbra ports and services on the firewall.

sudo firewall-cmd --add-service=http,https,smtp,smtps,imap,imaps,pop3,pop3s --permanent
sudo firewall-cmd --add-port 7071/tcp --permanent
sudo firewall-cmd -add-port 8443/tcp --permanent

Reload firewalld configurations,

sudo firewall-cmd --reload

You can confirm runtime settings using:

$ sudo firewall-cmd --list-all
target: default
icmp-block-inversion: no
services: dhcpv6-client http https imap imaps pop3 pop3s smtp smtps snmp ssh
ports: 7071/tcp  8443/tcp

Restricting access to Admin dashboard

It is a good practice to always restrict access to port 7071 to a trusted network or IP address. For UFW, this is done using the command:

sudo ufw allow from to any port 7071
sudo ufw allow from to any port 7071

With firewalld, you can use Rich Rules.

sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" \
  source address="" port protocol="tcp" port="7071" accept'

sudo firewall-cmd --reload

You should now have a secured Zimbra setup. We have other email related articles you can take a look.

Ref: https://wiki.zimbra.com/index.php?title=Blocking_Memcached_Attack


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.