Security Update cPremote ( Important )

Hello,

There was a security bug in the old version of cpremote upto version 6.7  . You can  update the cpremote installation to latest version 6.9 . This contains the fix.

Further detail about this bug will be published  soon after  updating the installations.If you  have any questions , please feel free to contact our support desk.

For updating cPremote simply run the following command from the server shell,

# sh /etc/cron.weekly/updatecpremote.sh

How to configure Zimbra + CSF – The Best Zimbra Firewall Configuration

CSF is one of the best opensource firewalls that using in most of the hosting servers like cPanel and Directadmin . Also it is one of the best firewall for installing Zimbra Mail server . This documentation will help you to configure the CSF firewall in a Zimbra Standalone installation server.

Before starting the installation , you may need to read the documentation available on http://wiki.zimbra.com/wiki/Ports , this will help you to get a quick understanding of ports that required to open in a Zimbra server.

Install CSF :

You can download CSF from http://configserver.com/cp/csf.html and install it . After that open the CSF configuration and enable the following ports,

TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,7071"
TCP_OUT = "22,25,53,80,110,113,443,465,587,993,995,7071"

Now you need to open the file /etc/csf/csf.pignore and add the following zimbra packages paths.

exe:/opt/zimbra/amavisd/sbin/amavisd
exe:/opt/zimbra/clamav/bin/freshclam
exe:/opt/zimbra/clamav/sbin/clamd
exe:/opt/zimbra/cyrus-sasl/sbin/saslauthd
exe:/opt/zimbra/httpd-2.4.3/bin/httpd
exe:/opt/zimbra/httpd/bin/rotatelogs
exe:/opt/zimbra/java/bin/java
exe:/opt/zimbra/libexec/logswatch
exe:/opt/zimbra/libexec/zmmailboxdmgr
exe:/opt/zimbra/mysql/bin/mysqld
exe:/opt/zimbra/opendkim/sbin/opendkim
exe:/opt/zimbra/openldap/sbin/slapd
exe:/opt/zimbra/postfix/libexec/master

This will help to white list these binaries in CSF

Now you can start the CSF as follows and test it.

# /etc/init.d/csf start

You may need to test the mail server and its functionalities . After that you can disable the testing mode in csf.conf and reload CSF. You can also perform other generic CSF tweaks after that.

Syslint Technologies provide all sort of Zimbra Technical Support and management services.

Nginx Security Update For All Nginx installations upto version 1.4.0

Greg MacManus, of iSIGHT Partners Labs, found a security problem
in several recent versions of nginx. A stack-based buffer
overflow might occur in a worker process while handling a
specially crafted request, potentially resulting in arbitrary code
execution (CVE-2013-2028).

The problem affects nginx 1.3.9 – 1.4.0.

The problem is fixed in nginx 1.5.0, 1.4.1.

Patch for the problem can be found here:

http://nginx.org/download/patch.2013.chunked.txt

As a temporary workaround the following configuration

can be used in each server{} block

    if ($http_transfer_encoding ~* chunked) {
        return 444;
    }

Update Your cPnginx :

For updating the cPnginx run the following commands,

# /scripts/installnginx --version=1.4.1

Update Your Danginx :

For updating the Danginx please run the following command,

 
# /usr/local/directadmin/scripts/installnginx --version=1.4.1

How to Configure Zimbra With External Email Address

You can add your external email accounts to your zimbra email  server from your end user  interface . But sometimes the testing from Zimbr -> Preferences -> Accounts  will fail with an   error like as follows,

--------------------
2013-05-05 12:29:59,533 WARN  [qtp1347725365-191:https://x.x.x.xservice/soap/TestDataSourceRequest] [name=mail@yourdomain.com;mid=3;ip=10.0.0.1;ua=ZimbraWebClient - FF17 (Linux)/8.0.3_GA_5664;] datasource - Test failed: DataSource{id=TestId, type=pop3, enabled=false, name=Test, host=yourdomain.com, port=110, connectionType=cleartext, username=mail@yourdomain.com, folderId=-1}
com.zimbra.common.service.ServiceException: system failure: Unable to connect to POP3 server: DataSource{id=TestId, type=pop3, enabled=false, name=Test, host=mail.yourdomain.com, port=110, connectionType=cleartext, username=mail@yourdomainc.om, folderId=-1}
ExceptionId:qtp1347725365-191:https://x.x.x.x:443/service/soap/TestDataSourceRequest:1367737199532:686e92b7a615f13b
Code:service.FAILURE
at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:258)
at com.zimbra.cs.datasource.Pop3Sync.connect(Pop3Sync.java:157)
at com.zimbra.cs.datasource.Pop3Sync.test(Pop3Sync.java:110)
at com.zimbra.cs.datasource.DataSourceManager.test(DataSourceManager.java:213)
at com.zimbra.cs.service.mail.TestDataSource.handle(TestDataSource.java:131)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:500)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:363)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:236)
at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:290)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:208)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:565)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1361)
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:57)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:77)
at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:181)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:114)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:464)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:327)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:477)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:312)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:77)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:452)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:894)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:948)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:77)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:191)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:606)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538)
at java.lang.Thread.run(Thread.java:722)
--------------------

It solutions is as follows

1) Login to your zimbra sever over ssh and  do the following ,

# su - zimbra
# zmlocalconfig | grep javamail_pop3_enable_starttls

If you see the result of the above command as  ”  javamail_pop3_enable_starttls = true ” , you need to change it to false

2)

# zmlocalconfig -e javamail_pop3_enable_starttls=false
# zmmailboxdctl restart

Now try to login to your zimbra and add the  email account  and test it. If  you still see an issue with ssl , please do the following too,

# zmlocalconfig | grep certs
  data_source_trust_self_signed_certs = false
  mailboxd_truststore = /opt/zimbra/java/jre/lib/security/cacerts
  ssl_allow_accept_untrusted_certs = true
  ssl_allow_mismatched_certs = true
  ssl_allow_untrusted_certs = false
# zmlocalconfig -e ssl_allow_untrusted_certs=true
# zmlocalconfig -e data_source_trust_self_signed_certs=true
# zmmailboxdctl restart

This will fix your issue with external email accounts in Zimbra.