Skip to content

# Setting up a Zimbra authenticated proxy

On March 18th, Synacor posted about a critical Zimbra security vulnerability (CVE 2019 9670), which was quick to be exploited in the wild, and subsequently evolved to be harder to erradicate.

I’ve always had a weariness of authentication implementations by hosted applications, so I decided to block the Zimbra web mail interface using iptables (firewall), and only allow access through a separately hosted HTTP proxy which requires authentication. This way, no stray requests to API endpoints accidentally left open will be allowed. That is, almost none: I had to add exceptions to allow webdav traffic for contact and calendar synchronization. If you don’t use that, the exceptions can be left out.

Below is an example Apache configuration. Apache requires several modules to be enabled, which is an exercise left to the reader. Also, a similar proxy is easily implemented in Nginx; I just happened to have a spare Apache server.

When you access the web mail page, first you have to authenticate using old style HTTP authentication:

Anyway, here’s the proxy config:

<VirtualHost *:80>
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R] ServerName webmail.example.net </VirtualHost> <VirtualHost *:443> ServerName webmail.example.net ServerAdmin webmaster@localhost SSLEngine on SSLCertificateFile /etc/letsencrypt/live/webmail.example.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/webmail.example.net/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/webmail.example.net/chain.pem SSLProxyEngine On ProxyPass / https://mail.example.net/ ProxyPassReverse / https://mail.example.net/ # For Webdav/carddav/caldav <Location /dav> Satisfy any Require all granted </Location> # For Let's Encrypt <Location /.well-known/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /principals/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /SOGo/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /groupdav.php> Satisfy any Require all granted </Location> <Location /> AuthType Basic AuthName "Zimbra webmail pre-login" AuthUserFile /etc/apache2/htpasswd/webmail Require valid-user # Exception IPs: no auth needed (for monitoring for instance) Require ip 1.2.3.4 </Location> ErrorLog${APACHE_LOG_DIR}/webmail.example.net/error.log
CustomLog \${APACHE_LOG_DIR}/webmail.example.net/access.log combined
</VirtualHost>