How to configure Zimbra + CSF – Great Zimbra Firewall Configuration

CSF is one of the best opensource firewalls that using in most of the hosting servers like cPanel and Directadmin . Also it is one of the best firewall for installing Zimbra Mail server . This documentation will help you to configure the CSF firewall in a Zimbra Standalone installation server.

Before starting the installation , you may need to read the documentation available on http://wiki.zimbra.com/wiki/Ports , this will help you to get a quick understanding of ports that required to open in a Zimbra server.

Install CSF :

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:

perl /etc/csf/csftest.pl

Don't worry if you cannot run all the features, so long as the script doesn't
report any FATAL errors

After that open the CSF configuration and enable the following ports,
TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,7071"
TCP_OUT = "22,25,53,80,110,113,443,465,587,993,995,7071"

Now you need to open the file /etc/csf/csf.pignore and add the following zimbra packages paths.

exe:/opt/zimbra/amavisd/sbin/amavisd
exe:/opt/zimbra/clamav/bin/freshclam
exe:/opt/zimbra/clamav/sbin/clamd
exe:/opt/zimbra/cyrus-sasl/sbin/saslauthd
exe:/opt/zimbra/httpd-2.4.3/bin/httpd
exe:/opt/zimbra/httpd/bin/rotatelogs
exe:/opt/zimbra/java/bin/java
exe:/opt/zimbra/libexec/logswatch
exe:/opt/zimbra/libexec/zmmailboxdmgr
exe:/opt/zimbra/mysql/bin/mysqld
exe:/opt/zimbra/opendkim/sbin/opendkim
exe:/opt/zimbra/openldap/sbin/slapd
exe:/opt/zimbra/postfix/libexec/master

This will help to white list these binaries in CSF

Now you can start the CSF as follows and test it.

 # /etc/init.d/csf start

You may need to test the mail server and its functionalities . After that you can disable the testing mode in csf.conf and reload CSF. You can also perform other generic CSF tweaks after that.