Smokes your problems, coughs fresh air.

Tag: zimbra (Page 1 of 2)

Setting up a Zimbra authenticated proxy

On March 18th, Synacor posted about a critical Zimbra security vulnerability (CVE 2019 9670), which was quick to be exploited in the wild, and subsequently evolved to be harder to erradicate.

I’ve always had a weariness of authentication implementations by hosted applications, so I decided to block the Zimbra web mail interface using iptables (firewall), and only allow access through a separately hosted HTTP proxy which requires authentication. This way, no stray requests to API endpoints accidentally left open will be allowed. That is, almost none: I had to add exceptions to allow webdav traffic for contact and calendar synchronization. If you don’t use that, the exceptions can be left out.

Below is an example Apache configuration. Apache requires several modules to be enabled, which is an exercise left to the reader. Also, a similar proxy is easily implemented in Nginx; I just happened to have a spare Apache server.

Note that it’s best to not make the proxy the default virtual host on the web server. This avoids it being seen by IP probes. If set up properly, there is no trace visible from the outside that you’re using this proxy, and if you make it such that access to it requires the actual domain name (like mywebmail.example.net), it’s very hard for bots to see it (especially if you make the domain name a bit more unguessable).

When you access the web mail page, first you have to authenticate using old style HTTP authentication:

zimbra-pre-login

Anyway, here’s the proxy config:

<VirtualHost *:80>
        RewriteEngine on
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
        ServerName webmail.example.net
</VirtualHost>
 
<VirtualHost *:443>
        ServerName webmail.example.net
        ServerAdmin webmaster@localhost
 
        SSLEngine on
        SSLCertificateFile    /etc/letsencrypt/live/webmail.example.net/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/webmail.example.net/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/webmail.example.net/chain.pem
 
        SSLProxyEngine On
        ProxyPass        / https://mail.example.net/
        ProxyPassReverse / https://mail.example.net/
 
        # For Webdav/carddav/caldav
        <Location /dav>
                Satisfy any
                Require all granted
        </Location>
 
        # For Let's Encrypt
        <Location /.well-known/>
                Satisfy any
                Require all granted
        </Location>
 
        # For Webdav/carddav/caldav
        <Location /principals/>
                Satisfy any
                Require all granted
        </Location>
 
        # For Webdav/carddav/caldav
        <Location /SOGo/>
                Satisfy any
                Require all granted
        </Location>
 
        # For Webdav/carddav/caldav
        <Location /groupdav.php>
                Satisfy any
                Require all granted
        </Location>
 
        <Location />
                AuthType Basic
                AuthName "Zimbra webmail pre-login"
                AuthUserFile /etc/apache2/htpasswd/webmail
                Require valid-user
 
                # Exception IPs: no auth needed (for monitoring for instance)
                Require ip 1.2.3.4
        </Location>
 
        ErrorLog ${APACHE_LOG_DIR}/webmail.example.net/error.log
        CustomLog ${APACHE_LOG_DIR}/webmail.example.net/access.log combined
</VirtualHost>

Installing a commercial SSL certificate in Zimbra

Edit: now in 2020, with Zimbra 8, and Startcom out of business, things have changed a bit. So, here are the steps now, for a Sectigo certificate (and referring to their directory structure):

  • Copy ‘Linux/mail.example.com.ca-bundle’ to ‘/tmp/ca_bundle.crt’. Run ‘chown zimbra:zimbra /tmp/ca_bundle.crt’. (the name of the file suggests that your certificate is in the bundle, but it’s just the authority’s)
  • Copy ‘mail.example.com.crt’ to ‘/tmp/ssl.crt’ and run ‘chown zimbra:zimbra /tmp/ssl.crt’
  • Copy ‘mail.example.com.key’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ and ‘chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key’
  • ‘su – zimbra’ and then ‘/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt’
  • A restart may not even be necessary. My monitoring already started alerting me about the recovery before hand, but just in case, also as user zimbra: ‘zmcontrol stop && zmcontrol start’

Old post:

I installed a commercial (free) SSL certificate from Startcom SSL in Zimbra. I basically followed this, except the java keytool thing. I don’t know why that is necessary… I did this on Zimbra 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 FOSS edition.

  • Download the ca.pem and sub.class1.server.ca.pem (the CA for the free class 1 validation) to /tmp/
  • Cat the CA certs to form a single CA certificate chain file: cat ca.pem sub.class1.server.ca.pem > ca_bundle.crt
  • Place server certificate in /tmp/ssl.crt.
  • Place the private key in /opt/zimbra/ssl/zimbra/commercial/commercial.key
  • Deploy the commercial certificate with zmcertmgr as the root user: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
  • Restart zimbra: su zimbra, then zmcontrol stop && zmcontrol start

Disabling exim port 25 listening when zimbra is installed

Edit: This doesn’t work anymore I don’t think, because more modern versions check for SMTP conflicts and don’t allow this.

When you’re installing zimbra in an Ubuntu or Debian machine, it seems it installs the MTA in such a way that command line tools like mail and such don’t work. But when you install exim, it conflicts with the postfix in Zimbra.

To fix it, you can install exim4, but configure this line in /etc/default/exim4:

QUEUERUNNER='queueonly'

Zimbra has no shutdown init script on Debian and Ubuntu

There is a K01zimbra in rc6.d for reboot, but not in rc0.d. See this bug report I made.

Workaround:

cd /etc/rc0.d/
ln -s ../init.d/zimbra K01zimbra

I noticed that after an upgrade, the bootscript was gone again, so I made this cron task and put it in cron.daily:

#!/bin/bash
#
# Zimbra bug: no rc0 bootscript: http://bugzilla.zimbra.com/show_bug.cgi?id=54099
#
# The bootscript I put there gets removed upon upgrade, so I put this script in
# place which mails root if it is missing.
#
# The bug is fixed, but in 6.0.10 it still wasn't there, so I don't know when
# it will be included in the release.
#
# Install it in /etc/cron.daily.
 ! [ -e "/etc/rc0.d/K01zimbra" -a -e "/etc/rc6.d/K01zimbra" ];
  message="Kill zimbra bootscript not found in either rc0 (shutdown) or rc6 (reboot)."
  "$message"
  "$message" | mail -s "Zimbra bootscript error" root

Making mysqldump work on a zimbra installation

Zimbra installs its own mysql and there is no workable mysqldump command. There is a mysql command wrapper script (/opt/zimbra/bin/mysql) that loads an environment to set password and such, but there is no such thing for mysqldump. I copied that wrapper script to /usr/local/bin/mysqldump so that user zimbra can no run mysqldump. This is it:

#!/bin/bash
# I, halfgaar, copied this script from /opt/zimbra/bin/mysql and adjusted to so that I can do mysqldump.
 
source /opt/zimbra/bin/zmshutil || exit 1
zmsetvars mysql_directory mysql_socket zimbra_mysql_user zimbra_mysql_password
 
exec ${mysql_directory}/bin/mysqldump -S ${mysql_socket} \
    -u ${zimbra_mysql_user} --password=${zimbra_mysql_password} "$@"

Disable Zimbra’s duplicate mail detection

Zimbra can discard duplicates of incoming mail. This has certain advantages, but for us, where different people use the same account with different identities, this prevents a message from being delivered to multiple virtual inboxes.

To disable this, do this as user zimbra:

zmprov mcf zimbraMessageIdDedupeCacheSize 0
zmmailboxdctl restart

Unfortunately, this has the annoying problem that conversations aren’t detected for duplicates of a message. See this forum thread for more info.

Lowering Bayes score for Zimbra’s Spamassassin config

The Spamassassin config in Zimbra has a very high default score for bayes matching of 99, 95, 90, etc, percent. A mail with subject and body “test” or “asdfaewf a” is often marked as 99% bayes, even though the spamfilter has seen no training mail. This is absurd.

To amend this, I put this in /opt/zimbra/conf/spamassassin/local.cf:

score BAYES_99 2.500
score BAYES_95 2.000
score BAYES_90 1.500
score BAYES_85 1.000
score BAYES_80 0.500

Configuring fetchmail to deliver to Zimbra with custom header added

I needed to fetch mail from a POP3 account and deliver it to a Zimbra account. Because I’m doing this for multiple POP3 accounts, I want to add a header which I can use in Zimbra to filter. This is what we made:

poll server user "user" pass "secret" mda "formail -A 'X-Zimbra-To: user@domain.org'| /opt/zimbra/postfix/sbin/sendmail -i -t service@sicirec.org"

The -i tells sendmail to ignore a single dot on a line, because that would normally mean end of mail. The -t is “to” (not the header “To:“).

It is a bit unclear why postfix delivers locally to Zimbra, since doing mail user@ourdomain.org routes through an external SMTP server, which is configured in Zimbra to be used as MTA for outgoing mail. It is configured as ‘webmail MTA’.

Fixing spamassassin rule in Zimbra

Spamassassin has had a bug for a while, marking any mail from 2010 and later as spam because it’s from “far into the future”. This was very crudely done as this regexp: /20[1-9][0-9]/. Because of that, almost all mail from 2010 onward is marked as spam.

I Changed the regex to match for 2020 or later, but that’s not really a fix. Even the spamassassin maintainers ‘fixed’ it that way.

What I have to look out for though, is that this file may get overwritten when I upgrade zimbra. sa-update doesn’t seem to work on zimbra, so I don’t really know what the best way of getting new rules is.

« Older posts

© 2022 BigSmoke

Theme by Anders NorenUp ↑