Hello,
There was a security bug in the old version of cpremote upto version 6.7 . You can update the cpremote installation to latest version 6.9 . This contains the fix.
Further detail about this bug will be published soon after updating the installations.If you have any questions , please feel free to contact our support desk.
For updating cPremote simply run the following command from the server shell,
# sh /etc/cron.weekly/updatecpremote.sh
CSF is one of the best opensource firewalls that using in most of the hosting servers like cPanel and Directadmin . Also it is one of the best firewall for installing Zimbra Mail server . This documentation will help you to configure the CSF firewall in a Zimbra Standalone installation server.
Before starting the installation , you may need to read the documentation available on http://wiki.zimbra.com/wiki/Ports , this will help you to get a quick understanding of ports that required to open in a Zimbra server.
Install CSF :
You can download CSF from http://configserver.com/cp/csf.html and install it . After that open the CSF configuration and enable the following ports,
TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,7071" TCP_OUT = "22,25,53,80,110,113,443,465,587,993,995,7071"
Now you need to open the file /etc/csf/csf.pignore and add the following zimbra packages paths.
exe:/opt/zimbra/amavisd/sbin/amavisd exe:/opt/zimbra/clamav/bin/freshclam exe:/opt/zimbra/clamav/sbin/clamd exe:/opt/zimbra/cyrus-sasl/sbin/saslauthd exe:/opt/zimbra/httpd-2.4.3/bin/httpd exe:/opt/zimbra/httpd/bin/rotatelogs exe:/opt/zimbra/java/bin/java exe:/opt/zimbra/libexec/logswatch exe:/opt/zimbra/libexec/zmmailboxdmgr exe:/opt/zimbra/mysql/bin/mysqld exe:/opt/zimbra/opendkim/sbin/opendkim exe:/opt/zimbra/openldap/sbin/slapd exe:/opt/zimbra/postfix/libexec/master
This will help to white list these binaries in CSF
Now you can start the CSF as follows and test it.
# /etc/init.d/csf start
You may need to test the mail server and its functionalities . After that you can disable the testing mode in csf.conf and reload CSF. You can also perform other generic CSF tweaks after that.
Syslint Technologies provide all sort of Zimbra Technical Support and management services.
Greg MacManus, of iSIGHT Partners Labs, found a security problem
in several recent versions of nginx. A stack-based buffer
overflow might occur in a worker process while handling a
specially crafted request, potentially resulting in arbitrary code
execution (CVE-2013-2028).
The problem affects nginx 1.3.9 – 1.4.0.
The problem is fixed in nginx 1.5.0, 1.4.1.
Patch for the problem can be found here:
http://nginx.org/download/patch.2013.chunked.txt
As a temporary workaround the following configuration
can be used in each server{} block
if ($http_transfer_encoding ~* chunked) {
return 444;
}
For updating the cPnginx run the following commands,
# /scripts/installnginx --version=1.4.1
For updating the Danginx please run the following command,
# /usr/local/directadmin/scripts/installnginx --version=1.4.1
You can add your external email accounts to your zimbra email server from your end user interface . But sometimes the testing from Zimbr -> Preferences -> Accounts will fail with an error like as follows,
--------------------
2013-05-05 12:29:59,533 WARN [qtp1347725365-191:https://x.x.x.xservice/soap/TestDataSourceRequest] [name=mail@yourdomain.com;mid=3;ip=10.0.0.1;ua=ZimbraWebClient - FF17 (Linux)/8.0.3_GA_5664;] datasource - Test failed: DataSource{id=TestId, type=pop3, enabled=false, name=Test, host=yourdomain.com, port=110, connectionType=cleartext, username=mail@yourdomain.com, folderId=-1}
com.zimbra.common.service.ServiceException: system failure: Unable to connect to POP3 server: DataSource{id=TestId, type=pop3, enabled=false, name=Test, host=mail.yourdomain.com, port=110, connectionType=cleartext, username=mail@yourdomainc.om, folderId=-1}
ExceptionId:qtp1347725365-191:https://x.x.x.x:443/service/soap/TestDataSourceRequest:1367737199532:686e92b7a615f13b
Code:service.FAILURE
at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:258)
at com.zimbra.cs.datasource.Pop3Sync.connect(Pop3Sync.java:157)
at com.zimbra.cs.datasource.Pop3Sync.test(Pop3Sync.java:110)
at com.zimbra.cs.datasource.DataSourceManager.test(DataSourceManager.java:213)
at com.zimbra.cs.service.mail.TestDataSource.handle(TestDataSource.java:131)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:500)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:363)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:236)
at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:290)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:208)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:565)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1361)
at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:57)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:77)
at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:181)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:114)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:464)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:327)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1332)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:477)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:312)
at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:77)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:452)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:894)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:948)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:77)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:191)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:606)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538)
at java.lang.Thread.run(Thread.java:722)
--------------------
It solutions is as follows
1) Login to your zimbra sever over ssh and do the following ,
# su - zimbra # zmlocalconfig | grep javamail_pop3_enable_starttls
If you see the result of the above command as ” javamail_pop3_enable_starttls = true ” , you need to change it to false
2)
# zmlocalconfig -e javamail_pop3_enable_starttls=false # zmmailboxdctl restart
Now try to login to your zimbra and add the email account and test it. If you still see an issue with ssl , please do the following too,
# zmlocalconfig | grep certs data_source_trust_self_signed_certs = false mailboxd_truststore = /opt/zimbra/java/jre/lib/security/cacerts ssl_allow_accept_untrusted_certs = true ssl_allow_mismatched_certs = true ssl_allow_untrusted_certs = false # zmlocalconfig -e ssl_allow_untrusted_certs=true # zmlocalconfig -e data_source_trust_self_signed_certs=true # zmmailboxdctl restart
This will fix your issue with external email accounts in Zimbra.
Per Ticket Support
Sales Chat Support
Semi Dedicated Support
Server Hardening & Security
Web Hosting Startup Support
CPanel Server Management
DirectAdmin Support
Plesk Server Management
VPS Support
Linux Server Management
Cloud Administration
Zimbra Support
Database Administration
Cluster Administration
DataCenter Support
