NTIS

Zimbra Security

One of Zimbra’s core values is to holistically emphasize safety and security. Hence we have built in best-of-breed measures to make Zimbra Collaboration Suite highly secure. This applies to both end users (virus, spam, phishing protection) and to the overall ZCS architecture / deployment framework (authentication, encryption).

Integrated Anti-virus (AV)

The ZCS server comes embedded with ClamAV, the award-winning open source AV system. It is deployed as an extension of our Postfix MTA. Its threat definitions (anti-virus, anti-worm, anti-phishing) are updated multiple times each day to maximize protection. It is enabled during ZCS installation, so all ‘end points’ running against the Zimbra server have AV protection (Outlook, ZCS web client) out-of-the-box.

You are free to use ClamAV or you can choose to run any third-party alternative. We provide a plug-in framework to make adding other services easy.

End users running the ZCS web client running on a Linux-based ZCS server also have an additional layer of protection- attachments can be viewed as html rather than being downloaded. Keeping the attachment server side is more secure and also more convenient for end users (fewer clicks).

Integrated Anti-Spam (AS)

Similar to our AV solution, ZCS also comes with built in anti-spam filtering on the server using open source tools SpamAssassin and DSPAM. These tools support ongoing training (what is spam and what isn’t), allowing organizations to optimize performance in their own environment. Each package is enabled during ZCS installation, receives regular updates, and spam training is automatically on to let users train spam filters as they move messages in and out of their Junk folders.

Zimbra Security Framework Overview

To support highly secure deployments Zimbra Collaboration Suite is designed with a classic network security model where server-side systems must be trusted, but the client-side need not be. Thus, with the server physically protected businesses and organizations can deliver secure messaging and collaboration to their end users anywhere, even on their home computers, public Internet kiosks, etc. (without being forced to deploy costly Virtual Private Networks).

Key security framework methodologies:

• Network privacy and server authentication – ZCS is able to use SSL/TLS encryption of all network communications (signified by “https:” URLS)
• Client authentication token required – “auth” tokens contain a cryptographically secure representation of the user’s individual and machine/network identity, as well as an expiration time. This auth-token prevents classic data-injection attacks on the server.
• End-to-end data encryption – ZCS has multiple implementation options for encryption between the client and server. ZCS is compatible with encryption technologies such Secure Multipurpose Internet Mail Extensions (S-MIME) or Pretty Good Privacy (PGP).

Other Web Client Security Benefits

The ZCS web client is an Ajax-based application. While it does rely on standard web platform technologies, Ajax has many inherit advantages over traditional products:

• Web client is downloaded – Ajax client code is downloaded on demand from the trusted ZCS server after a particular user logs-in. No software is left on the client for a malicious person to tamper with.
• No persistent caching of user data – A substantial exposure with traditional web mail clients is that they cache HTML data including message contents, addresses, etc. This is a significant security vulnerability Ajax applications like the ZCS client avoid because no user data is cached on disk.
• Server-side control of Zimlet mash-ups – Zimlets and other mash-ups are precluded from accessing arbitrary services on the Internet. This means the ZCS server can act as a secure, proxy gateway for accessing intranet applications, and can govern which web services are accessible for mash-up within the Zimbra Ajax web client.