Zimbra Security Technical White Paper

8/11/2019 Zimbra Security Technical White Paper

1/11

VMware Zimbra SecurityProtecting Your VMware Zimbra Email

and Collaboration Environment

T E C H N I C A L W H I T E P A P E R


2/11

VMware Zimbra Security

T E C H N I C A L W H I T E P A P E R / 2

Table of Contents

VMware Zimbra Approach to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Open-Source Commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Flexible Object-Based Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Adherence to Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Flexible Deployment Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Tour of the Security Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Accessing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Sharing Data and Sending Emails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Monitoring and Tracking Access and Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Integrated Security and Compliance Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Zimbra Security Ecosystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Gateway-Level Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Zimlet Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


3/11



VMware Zimbra Approach to Security

Todays IT organizations must handle competing demands for convenience and security. Users expect to

work and collaborate from nearly any location and any type of device. Yet with increasing privacy and security

regulationsand a continually changing threat environmentIT must exercise constant vigilance to protectbusiness information and applications.

As an email, calendar and collaboration platform, VMware Zimbra is at the heart of the daily collaboration

and communications that drive your business. Messaging is a business-critical application for almost every

organization. At VMware, we understand that you need a range of options for addressing security and

compliance, and that every organizations requirements are unique.

This paper describes the security measures inherent in VMware Zimbra Collaboration Server and the many

ways in which you can integrate it into enterprise security, compliance and governance solutions and practices.

It starts with the technologies and philosophies in Zimbra that shape its approach to security and compliance.

These include a commitment to open-source development, an object-based design, widespread compatibility

through industry standards and flexible deployment options.

Open-Source Commitment

Zimbra is an enterprise-class, open-source messaging and collaboration platform. Zimbra Collaboration Server

is built using well-known and trusted open-source components, including the Linux file system (message store),

Jetty (Web server and Java Servlet container), MySQL (metadata), Apache Lucene (search), Postfix (mail transfer

agent), OpenLDAP (configuration data) and others. Each of these technologies draws from the broad open-source

community, which imposes its own consistent level of quality assurance (QA) and scrutiny to the code.

VMware contributes code to the Open Source Software (OSS) community. Not only does this give back to the

OSS community that provides so much valueit also helps Zimbra customers by validating and enhancing the

architecture through the community. The open source commitment protects your investment in collaboration/

messaging technology and you can always revert from the commercial version to the Open Source Edition of

Zimbra Collaboration Server; although you will lose much of the rich additional functionality provided by the

Zimbra Collaboration Server, the core functionality will remain.

Flexible, Object-Based Design

A basic design precept in Zimbra is that everything (account, domain, mail folder, calendar, etc) is an objectwithin a hierarchy, and every object has an associated Access Control List (ACL). This design enables very

granular permissions to be defined and can be used to create a class-of-service.

A class-of-service (COS) is a Zimbra specific object that defines for example the default attributes and features

that are enabled or disabled for an email account. These attributes include default preference settings, mailbox

quotas, message lifetime, password restrictions, attachment blocking and server pools for creation of new accounts.

Each account is assigned a COS and a COS is used to group accounts and define the feature levels for those accounts.

For example, executives can be assigned to a COS that allows the Calendar application that is disabled for all other

employees. By grouping accounts into specific type of COS, account features can be updated in block. If the COS

is not explicitly set, or if the COS assigned to the user no longer exists, values come from a pre-defined COS called

default. A COS is not restricted to a particular domain or set of domains. Delegated administrators can be setup

using COS for decentralized role based access control.

The Zimbra security model enables Zimbra to accommodate a wide range of business scenarios while keepingthe deployment simple and requiring minimal administration.


4/11



Adherence to Standards

Zimbra uses widely adopted industry standards, including:

Secure Sockets Layer/Transport Layer Security (SSL/TLS)

Simple Mail Transfer Protocol (SMTP)

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Security Assertion Markup Language (SAML) 2.0

Federal Information Processing Standard (FIPS) 140-2

Commitment to standards enables Zimbra Collaboration Server to work with nearly any desktop or mobile

client and to operate within a wide partner ecosystem. You can either build your own integration solutions

or link Zimbra Collaboration Server to third-party security and compliance tools.

Flexible Deployment Architecture

Zimbra Collaboration Server uses a modular architecture that supports flexible, secure deployments, with

client-facing components deployed separately from the back-end components.

For example, you can run the Zimbra Proxy Server and Message Transport Agent (MTA), which handle external

traffic, within the DMZ. The Lightweight Directory Access Protocol (LDAP) and Mailstore Server components can

reside within another firewall, with private, non-routable addresses between them.

By protecting the server side and offering end-to-end encryption, Zimbra enables you to deliver secure messaging

and collaboration to end users everywhere, even on their home computers.

Figure 1.Components of Zimbra System


5/11



Tour of the Security Life Cycle

To implement defense in depth, you need layers of protection in every phase of the solution. To describe the

security layers inherent in the Zimbra solution, well follow the application-access life cycle, starting from the

users perspective with the login (authentication).

Logging In

Authenticationallowing access to the applicationis the first step in Zimbra security. Zimbra offers four

authentication options.

Native Zimbra Authentication

Zimbra supports authentication using its own internal directory. This is the simplest configuration. Administrators

can define password policies with varying requirements for password length, strength and age.

Zimbra Collaboration Server 7.2 and above supports two-factor authentication using smart cards, including the

U.S. Department of Defense Common Access Cards, as a physical authentication factor. By supplementing the

password (something you know) with a smart card (something you have), multi-factor authentication reduces

the potential for unauthorized access using stolen credentials.

Figure 2.Zimbras layered defense, from initial access to incident response


6/11



Single Sign-On (SSO)

You can use Zimbra with existing Identity Management systems including Microsoft Active Directory or other

Lightweight Directory Access Protocol (LDAP) compliant directories using Kerberos or a pre-authentication

key. This way, users have a single, secure login for authenticating to multiple enterprise services, and you can

manage access and identity from a single, central directory.

Identity Federation

Zimbra also supports SAML-based identity federation. Using this approach, a user authenticates with a SAML

identity provider. The provider and the Zimbra server exchange security certificates and identity assertions

before Zimbra grants access.

VMware Horizon Application Manager is an example of a SAML identity provider that works with Zimbra.

Zimbra supports other federated identity solutions that use the SAML 2.0 standard.

Zimbra also supports OAuth, an API-level authentication protocol popular with large consumer service providers.

Mobile Authentication

For certain mobile devices, Zimbra Collaboration Server can ensure that the device complies with mobile security

policies before allowing access. These policies might include timeouts, personal identification numbers (PINs)

and local device wipe. For example, the user must enter a PIN to unlock the device; if a preconfigured number

of incorrect PINs are entered, a local program wipes the content on the device.

Accessing Data

After users connect to Zimbra, authorization processes control which data they can see and which functions

they can perform. For example, most users can use their own email and calendars, and some may be able to

check someone elses calendar.

Everything in Zimbra (including accounts, domains, mail folder, contacts, calendar, tasks and briefcase folder)

is an object with attributes that can be secured with object-level permissions. Administrators can easily create

groups and assign access permissions to them to support specific business objectives.

Zimbra supports highly granular and secure authorization frameworks, using a class-of-service model. You can

define specialized and unique classes of service that fit your specific business requirements. Each class of service

controls everything from specific features within Zimbra to storage policies and access to third-party integrationsolutions using the Zimlet extensibility framework.

Sharing Permissions

Zimbra offers flexible sharing permissions for shared mail folders, contacts, calendars, tasks lists and briefcase

folders. You can grant internal users or groups permission to view, edit or share folders or items. You can also grant

external users read-only or password-based access to shared objects.

For example, you might give a colleague the permission to create, accept or delete meetings for your calendarbut

not to share your calendar with other users.

Delegated, Role-Based Administration

Zimbra lets you delegate administrative tasks with highly configurable permissions. An administrators role can

be as simple as managing a distribution list or resetting forgotten passwords for a specific group of users. You

can create roles for nearly any attribute and task in Zimbra. Zimbra also provides predefined roles for domain

administrators and distribution-list managers.

Sharing Data and Sending Emails

After users connect to their accounts, they will probably start sending or receiving email, scheduling meetings

or collaborating with others. These interactions can occur within the Zimbra server (with other users in the group)

or with external users, and with devices that are mobile or outside enterprise control. Zimbra offers several strategies

for protecting the privacy of data as it moves through the application and between users and devices.


7/11



Encrypting Email Messages

In Zimbra Collaboration Server 7.2 we introduced support for S/MIME that enables encryption and decryption

of email messageseven when a Web-based email client is used. Zimbra can work with public certificate authorities

or certificates issued via an internal public-key infrastructure (PKI) deployment.

Data Privacy in Transit

VMware recommends that you use TLS, which supercedes SSL, for all communications between the Zimbra servers

and the client (whether it is a browser-based client or a mobile application). You can set this as a default value in

the Zimbra Collaboration Server administration console. Zimbra uses TLS/SSL to encrypt communications with

mobile devices using ActiveSync and Zimbra Mobile and with Zimbra Collaboration Server 7.2 and above, there

is an additional layer of security with the content being encrypted with S/MIME.

Data Privacy at Rest

Data in our message store is also encrypted with S/MIME in Zimbra Collaboration Server 7.2 and above. The data

is stored encrypted in our message store until the person with the appropriate private key opens the email.

Third-party solutions can also be used to encrypt the file system containing Zimbra data. For example, you might

use hardware-based encryption embedded in the file-system storage.

FIPS 140-2

In an environment that requires operating in a FIPS140-2 compliant mode, Zimbras cryptography libraries and

desktop clients can be congured to operate in and enforce FIPS140-2 compliant algorithms and key strengths.

Digital Signatures

S/MIME also enables you to digitally sign messages to provide authentication and nonrepudiation for legal purposes.

When you use digital signatures, recipients know that a message came from you, not from someone spoofing

your email address.

Protection from Outage or Disaster

You can protect the broader Zimbra deployment from outages or disasters, transparently to the application.

For example, you can

Use data replication to remove single points of failure from your storage environment

Use backups to provide disaster site resilience

Implementing high availability and site resiliency are simple if you are running Zimbra in

a VMware vSphere environment.

Monitoring and Tracking Access and Usage

While the user is busy sending and receiving email, scheduling appointments and collaborating with others, Zimbra

is constantly auditing and tracking all access and usage. Zimbra logs a wide range of activities, including:

User and administrator activity

Login failures

Slow queries

Mailbox activity

Mobile synchronization activity Database errors

You can set different levels of logging.

The Zimbra Collaboration Server supports the syslog format and Simple Network Management Protocol (SNMP).

Log events, alerts and traps can be forwarded to log-management and event correlation systems to create centralized

policies and notifications based on your security and compliance requirements.

These logs can support forensic analysis, which is useful for our next step: incident response.


8/11



Incident Response

Even with the layers of security weve defined so far, you may need to take action to respond to a problem

or mitigate risk. For example,

A users account credentials have been stolen

An executive left his or her smartphone in a taxicab

Log analysis reveals problematic activity on an administrator account

Zimbra supports incident response in several ways.

Remote Device Wiping

If a tablet or smartphone that uses Zimbra is lost or stolen, the administrator can remotely wipe the data from

the device. This mitigates the risk of someone accessing the Zimbra data remotely, and of data on the device

itself being compromised.

Account Lockout

You can configure a policy that automatically locks an account after a specific number of failed login attempts.

The administrator can also immediately disable any account at any time.

An administrator with appropriate access privileges can also view the email messages of the suspect account

to help determine if the account has been compromised.

If you are using a federated identity management solution (SAML-based SSO) with Zimbra Collaboration Serveror

integrating Zimbra Collaboration Server to implement SSO with internal directories such as Active Directoryyou

can disable access from the central directory or identity store to prevent authentication to the Zimbra account.

Integrated Security and Compliance Functions

Zimbra Collaboration Server comes with embedded antivirus, antispam and archiving capabilities to offer

essential protection for email messaging.

Antivirus

ClamAV is an award-winning open-source antivirus software with threat definitions (for worm, virus and phishing)

updated multiple times each day. You can run ClamAV in combination with other antivirus solutions; Zimbra offersa plug-in framework for supporting antivirus.

Antispam

Zimbra Collaboration Server also has built-in antispam filtering on the server using the open-source SpamAssassin

and DSPAM tools. These tools support ongoing spam-filter training (i.e., teaching the filter what is spam and what

isnt), enabling organizations to optimize performance in their own environments. Users can train spam filters by

moving messages in and out of their junk folders.

Archiving and Discovery

Zimbra Archiving and Discovery is a feature of the Zimbra Collaboration Server. With this integrated solution,

you can select which users email messages to archive and set retention policies for both archive and live

mailboxes. Zimbra Archiving and Discovery offers powerful search indexing in a simple, cost-effective platform.

You can also integrate third-party archiving solutions with Zimbra Collaboration Server.


9/11



Zimbra Security Ecosystem

You may want or need to integrate Zimbra with broader enterprise security and compliance solutions, or extend

email security and policy capabilities with third-party solutions. Zimbra integrates easily with many other solutions

and supports a wide partner ecosystem. VMware maintains the VMware Ready Mail Security program for partnersthat deliver complementary solutions in areas including:

Data-loss prevention

Antivirus and antispam

Email archiving and discovery

With an open partner ecosystem, you can invest in and deploy the measures that are most appropriate for your

specific business environment.

Zimbra Collaboration Server supports two levels of integration with third-party solutions:

Gateway-level integration

Zimlet integration

You can find a complete list of partners at http://www.vmware.com/partners/programs/vmware-ready/mail-security.html.

Gateway-Level Integration

Through its support for SMTP protocols, Zimbra Collaboration Server offers gateway-level integration with a wide

range of third-party solutions. For example, Zimbra Collaboration Server can be configured to send all messages

to an SMTP gateway, which can then provide email archiving, content filtering and data-loss prevention, message

policy enforcement, messaging security, spam and virus prevention, and so on.

Zimlet Integration

Tight integration with Zimbra Collaboration Server is supported by the Zimlet framework. Zimlets let users

interact with third-party applications from the Zimbra Web client.

VMware partners such as Proofpoint have used Zimlets to build tight integration between their messaging-security

solutions and Zimbra Collaboration Server. You can also build your own Zimlets to add custom functionality to

your deployment.

Zimlets (both third-party and community-developed) are available from the Zimbra Gallery (http://gallery.zimbra.com).

FAQ

This section answers a few of the more common questions about security and Zimbra.

Q Does Zimbra support digital signatures?

A Zimbra Collaboration Server 7.2 and above support digital signatures through S/MIME.

You can both send and receive digitally signed email messages.

Q Do you support certificate encryption?

A Zimbra Collaboration Server supports certificate encryption through S/MIME or througha partner such as Proofpoint.

Q Does Zimbra provide content filters?

A Zimbra itself does not do content filtering, but our partners do.

See http://www.vmware.com/partners/programs/vmware-ready/mail-security.html.

Q Which encryption standards does Zimbra support?

A Zimbra Collaboration Server 7.2 supports S/MIME 3.2, S/MIME 3.1 and TLS/SSL.
http://www.vmware.com/partners/programs/vmware-ready/%20mail-security.htmlhttp://www.vmware.com/partners/programs/vmware-ready/%20mail-security.htmlhttp://www.vmware.com/partners/programs/vmware-ready/%20mail-security.htmlhttp://www.vmware.com/partners/programs/vmware-ready/%20mail-security.html


10/11


T E C H N I C A L W H I T E P A P E R / 1 0

Q How does Zimbra support two-factor authentication?

A Zimbra Collaboration Server 7.2 and above support multi-factor authentication natively using PKCS#11

compliant tokens storing X.509 certicates, such as smartcards. Zimbra can also be congured to use SSO

where authentication to the Identity Management system, either locally or through a secure access gateway,requires multi-factor authentication.

Q How does Zimbra support federated identity?

A Zimbra supports identity federation using the SAML 2.0 protocol. VMware Zimbra can be used with a SAML 2.0

Identity Provider such as VMware Horizon Application Manager or Microsoft Active Directory Federation Services.

Q How do I get Zimbra to work in the FIPS 140-2 mode?

A Using Desktop Operating Systems and web browsers that support FIPS140-2 mode, congure the client machine

to operate in FIPS mode. Zimbra will respect and enforce using FIPS140-2 compliant algorithms and key lengths.

Q Do I need Java for the S/MIME functionality?

A Yes. Zimbra uses a Java applet to access local keystores and cryptography libraries on client devices

for security, cross platform, and multi-browser compatibility.

Q Does Zimbra support SPNEGO?

A Yes. Zimbra uses SPNEGO with supporting browsers to negotiate Kerberos Authentication.

Acronyms

ACL Access Control List

ADFS Active Directory Federation Services

COS Class-of-service

FIPS Federal Information Processing Standard

LDAP Lightweight Directory Access Protocol

MBS Mailstore Server

MTA Message Transfer Agent

OSS Open source software

SAML Security Assertion Markup Language

S/MIME Secure Multipurpose Internet Mail Extensions

SMTP Simple Mail Transfer Protocol

SSL Secure Socket Layer

SSO Single sign-on

TLS Transport Layer Security

ZCS Zimbra Collaboration Server


11/11

VMware, Inc.3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed

at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademark s of their respective companies Item No: VMW-TWP-ZIMBRA-SECURITY-US LET-104 05/12

Documents

Zimbra Security Technical White Paper