Zimbra servers make a lot of DNS requests, so having a locally available caching DNS server system for Zimbra to use is important. In helping customers with very active Zimbra servers, we have found that deploying BIND9 gets the job done when dnsmasq, Zimbra’s Unbound or even local Active Directory …
Zimbra mailbox servers on Ubuntu 18/20 can benefit from Linux kernel tuning to reduce swap file usage. This post will show you how. Note: this article is based in large part on information kindly provided by John Holder of Zimbra a week before his untimely passing. Over the years John …
We know that deploying MTA-STS better secures inbound email and can prevent MITM and downgrade attacks. But you need a public web server to host the ~/.well-known/mta-sts.txt file. Not everyone has access to a web server they can use for this purpose, and even if they did, securing, patching, monitoring …
Historically, Zimbra firewalling has focused on regulating only Inbound traffic, but we can better protect our Zimbra systems if we also regulate Outbound traffic by using a Stateful Firewall. What Is a Stateful Firewall? Stateful firewalls, which now account for the majority of SMB and enterprise grade firewalls, can track …
Sometimes we want to block specific domains from sending email to any of our users. If you followed the instructions to prevent nested address spoofing, the mechanism to perform system-wide sender domain blocking is already in place. If you haven’t yet deployed nested address spoofing, please go ahead and do …
The Zimbra Network Edition NG module enables a Zimbra Global Admin to create Domain Admins right from the Admin Console. But suppose you want to create a more limited or customized delegated admin account, say, to perform password resets only? To do that, we need to go to the command …
Zimbra’s Distribution Lists are widely deployed on account of their powerful productivity-enhancing features, but in a default Zimbra installation, anyone anywhere can send email to any of your distribution lists — lists like “everyone@mycompany.com” are particularly ripe for exploitation by bad actors. This post will show you how to secure your …
In this post, we’ll show you how doing selective Postfix rate limiting will improve your Zimbra system’s email deliverability. Various trade press accounts have reported that COVID resulted in email volumes essentially doubling. For large email providers, especially the free email providers like Gmail, Yahoo and Outlook.com, they have had …
Increasingly we are seeing distributed brute force login attacks on our Zimbra hosting environment, as well as on our on-premises customers’ Zimbra systems. These login attempts typically come from 10 to 20 or so different IP addresses from around the globe, and are infrequent enough that Zimbra’s Denial of Service …
This post documents a high-level architectural design reference for hosting large Zimbra deployments in Amazon Web Services cost-effectively, with a high degree of security, performance, redundancy and resiliency — and with very short RPO (Recovery Point Objective) and RTO (Recovery Time Objectives) targets. For single-server installations, you can still use …
