Archive for the Zimbra Category

Zimbra: Firewall Script

Posted by Filed Under Zimbra with Comments Off

Zimbra is a great mail server replacement for Exchange.  When you install Zimbra it suggests that you do not install a firewall…well, that sounds like they want their program to work at your expense.  Anyway, here is a firewall that I am currently using that works fine.   Note as an administrator you can limit access to the Administrator port which is a good idea as well as I often limit access to the web interface as well.  The firewall has a number of variables that you can edit so you can drop it into your system.  Of course…use at your own risk.

Place the script in a file  /etc/rc.d/rc.firewall and make it executable with chmod 755 rc.firewall.  Then place a line in your /etc/rc.d/rc.local so that it starts up each time you boot, the line should look like this:

sh  /etc/rc.d/rc.firewall

#!/bin/bash
# This script comes with no warranty …use at own risk
# Copyright (C) 2009  Mike Weber
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#
LAN_INTERFACE=”eth0″
LOOPBACK_INTERFACE=”lo”
########################################
# Enter Your LAN IP Address            #
########################################
LAN_IP=”mail_server_ip”
########################################
# Enter LAN Subnet                     #
########################################
LAN_ADDRESSES=”cidr_subnet..ex. 192.168.5.0/24″
LAN_NET=”subnet..ex. 192.168.5.0/255.255.255.0″
########################################
# Enter Broadcast Address              #
########################################
LAN_BROADCAST=”network_broadcast”
########################################
# Enter Your Netmask                   #
########################################
LAN_NETMASK=”netmask…ex. 255.255.255.0″
########################################
# Enter Your DNS Server                #
########################################
NAMESERVER=”ip_dns_server”

LOOPBACK=”127.0.0.0/8″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″

#############################################
# Enter the IP Address of the Administrator #
# The only IP to Access the Hardware Node   #
#############################################
ADMIN=”admin_ip_address”

#############################################
# Speical Temporary Access Site             #
############################################
SPECIAL=”2nd_admin_ip”

##################################################
# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#Drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
##################################################
# remove existing rules
iptables –flush
iptables -t mangle –flush

# Unlimited traffic on the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set default policy to Drop
iptables –policy INPUT DROP
iptables –policy OUTPUT DROP

# Remove pre-existent chains
iptables –delete-chain
###################################################
# DNS to SERVER                                   #
###################################################
iptables -A INPUT -p udp –sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -j ACCEPT
##################################################
# Stealth Scans and TCP State Flags              #
##################################################
# All bits cleared
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SY and RSY set
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST set
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is inly bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH isn only bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is only bit without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
#######################################################
# Connection State to By-Pass Rule Checking
iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
######################################################
# SSH ACCESS TO SERVER                               #
######################################################
iptables -A INPUT -p tcp -s $ADMIN –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $ADMIN -j ACCEPT
iptables -A INPUT -p tcp -s $SPECIAL –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $SPECIAL -j ACCEPT
######################################################
# Zimbra Access
iptables -A INPUT -p tcp -s $ADMIN –dport 7071 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT

######################################################
# Limit Access to DNS Server                         #

######################################################
#if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -m state –state NEW -j ACCEPT
#fi
iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -j ACCEPT

iptables -A INPUT -i $LAN_INTERFACE -p udp -s $NAMESERVER –sport 53 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp –sport 1024:65535 –destination $LAN_IP –dport 53 -j ACCEPT
iptables -A INPUT -p udp –destination $LAN_IP –dport 53 -j ACCEPT

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -m state –state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $LAN_INTERFACE -p tcp -s $LAN_IP –sport 1024:65535 -d $NAMESERVER –dport 53 -j ACCEPT
iptables -A INPUT -i $LAN_INTERFACE -p tcp -s $NAMESERVER –sport 53 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -p udp –sport 53 –dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp –sport 1024:65535 –dport 53 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p udp –sport 1024:65535 –dport 53 -j ACCEPT
iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
#######################################################
# Mail Server                                         #
#######################################################
iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 25 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 25 -j ACCEPT
iptables -A INPUT -p tcp ! –syn –sport 25 -d $LAN_IP –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 25 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -$LAN_IP –sport 25 –dport 1024:65535 -j ACCEPT
#######################################################
# IMAP                                                #
#######################################################
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 993 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –sport 1024:65535 -d $LAN_IP –dport 993 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -s $LAN_IP –sport 993 -d 0.0.0.0/0 –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp -s 0.0.0.0/0 –sport 1024:65535 -d $LAN_IP –dport 143 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 –sport 1024:65535 -d $LAN_IP –dport 143 -j ACCEPT
iptables -A OUTPUT -p tcp ! –syn -s $LAN_IP –sport 143 -d 0.0.0.0/0 –dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP –dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s $ADMIN –destination $LAN_IP –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –destination $LAN_IP -j DROP
#iptables -A INPUT -p udp –destination $LAN_IP -j DROP
#iptables -A INPUT -p icmp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p tcp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p udp –destination $LAN_IP -j DROP
#iptables -A OUTPUT -p icmp –destination $LAN_IP -j DROP
#####################################################
# ClamAv
iptables -A OUTPUT -p tcp -d 208.67.80.27 –dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d 209.8.40.140 –dport 80 -j ACCEPT
iptables -A INPUT  -p tcp -s 208.67.80.27 -j ACCEPT
iptables -A OUTPUT -p tcp -d 65.120.238.2 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 209.8.40.140 -j ACCEPT
iptables -A INPUT -p tcp -s 128.121.60.235 -j ACCEPT
iptables -A OUTPUT -p tcp -d 128.121.60.235 –dport 80 -j ACCEPT

#########################################################
#iptables -A INPUT -m state –state INVALID -j LOG –log-prefix “INVALID input: ”
#iptables -A INPUT -m state –state INVALID -j DROP
#iptables -A OUTPUT -m state –state INVALID -j LOG –log-prefix “INVALID output: ”
#iptables -A OUTPUT -m state –state INVALID -j DROP
###########################################################
#Source Address Spoofing/Bad Addresses
# Refuse spoofed packets
iptables -A INPUT -s $LAN_IP -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP -j DROP
# Refuse malformed broadcast packets
iptables -A INPUT -i $LAN_INTERFACE -d $BROADCAST_SRC -j DROP
# Don’t forward limited broadcast either way
iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
#########################################################
# ICMP control and status messages
# Log and drop initial ICMP fragments
iptables -A INPUT –fragment -p icmp -j LOG –log-prefix “Fragmented incoming ICMP: ”
iptables -A INPUT –fragment -p icmp -j DROP

iptables -A OUTPUT –fragment -p icmp -j LOG –log-prefix “Fragmented outgoing ICMP: ”
iptables -A OUTPUT –fragment -p icmp -j DROP
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP -j ACCEPT

iptables -A OUTPUT -p icmp –icmp-type source-quench -j ACCEPT

iptables -A INPUT -p icmp –icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type parameter-problem -j ACCEPT

iptables -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -o $LAN_INTERFACE -p icmp –icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT

iptables -A OUTPUT -p icmp –icmp-type fragmentation-needed -j ACCEPT

# Don’t Log outgoing ICMP error messages
iptables -A OUTPUT -p icmp –icmp-type destination-unreachable -j DROP
# Intermediate traceroute resposes
#iptables -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
#–destination $LAN_ADDRESSES -j ACCEPT
#################################################
# LOGS                                          #
#################################################
iptables -A INPUT -i $LAN_INTERFACE -j LOG
iptables -A OUTPUT -j LOG
exit 0

Create a Signature in Zimbra

Posted by Filed Under Zimbra with Comments Off

Create a Signature
A signature adds several lines of text automatically to your email.  Usually this is your company and contact information.  In order to create a signature in Zimbra, open your account and choose preferences.  When you open preferences you will see the signature tab.  Select the tab.

sig

When the signature tab opens you will see that it is empty.  Choose Edit and you can create your signature.

sig1

Enter the information for your signature.  Note that you can format as plain text  or you could format as HTML.  Provide a name for your signature and select “Done”.

sig2

Once you have created a signature you can see that “Add Signature” is available to add a second or third signature.  This will allow you to use different signatures for different clients or friends.  Here you can see that when you create an email you can add the signature manually.

sig3
Here is your signature added to the email.

sig4

If you want to make the signature permanent then choose “Preferences” and “Signature”.  Below your signature you will see the “Using Signatures” and now select the “Accounts Page” which will allow you to make it permanent.

sig5

Change the “Do Not Attach Signature” to the signature of your choice.

sig6

Distribution List in Zimbra

Posted by Filed Under Zimbra with Comments Off

Distribution List

The Distribution List is a list of users that you can use to send mail to at one time. Instead of having to use CC: or BC: you can have a permanent list to send to. This is a great way to send company mail to one user and it is distributed to the entire staff.

When you want to create a new list choose “New” from the Administration panel and then “Distribution list”. If you select Search on the ‘Add Members to this list” you will get a return of all of the members who are users on the server. Then select each user you want to add by highlighting the user and clicking “Add”.

ls5

Once you have added members they will be listed under the “List Members”. You now need to create a List Name. Be aware that this list name will end up being an email account. For security reasons, reduce Spam, you should choose a list name that is not a common name, for example, “tr5u67h” because Spammers are less likely to gain access to this list. Once you have that done save and test by sending an email to that list name, in this example, test@my_domain.

ls2

Be careful to note that when you have checked “can receive mail” this email will send to the list of users. To protect your list when not in use, uncheck this so it cannot be abused. When it is unchecked users will get this message when they try to send to the list.

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

test@my_domain

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 <test@my_domain>: Recipient address rejected: my_domain (state 14).

Adding Lists From a .csv File

You may have a list of users in .csv format that you want to add to the server and then to your distribution list. The format for the .csv file must be three columns, email_address, user_name, password. If you do not provide a password it will ask the user to create one the first time they log in.

Here is what a .csv file should look like.

tom@example.com, tom, Ybhd45p

jane@example.com, jane, Yhnd34v

joe@example.com, joe, &iggw#

jerry@example.com, jerry, igfw34

Open the go to “Manage Distribution Lists” and select “Bulk Provision”. The window will open that will allow you to browse to the file with your users.

ls8

Your file will be read and you will be able to see the three columns with user information. Choose Next.

ls9

When you proceed it will add the users to the server.

ls9a

Now open your Distribution List and use “Search” to locate all users that you entered. Now add the ones you want and you have completed the addition of all the users.

You can add a Distribution List to another list and view the relationship between lists. Be careful with this as you can create a real mess with the intertwining of the lists.

ls11