VMware Zimbra Security

ProtectingYourVMwareZimbraEmail
andCollaborationEnvironment
T E CH NI C AL WHI T E PAP E R
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 2
Table of Contents
VMware Zimbra Approach to Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Open-Source Commitment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Flexible, Object-Based Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Adherence to Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Flexible Deployment Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Tour of the Security Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Logging In. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Accessing Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Sharing Data and Sending Emails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Monitoring and Tracking Access and Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Incident Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Integrated Security and Compliance Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Zimbra Security Ecosystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Gateway-Level Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Zimlet Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 3
VMware Zimbra Approach to Security
Todays IT organizations must handle competing demands for convenience and security. Users expect to
work and collaborate from nearly any location and any type of device. Yet with increasing privacy and security
regulationsand a continually changing threat environmentIT must exercise constant vigilance to protect
business information and applications.
As an email, calendar and collaboration platform, VMware Zimbra is at the heart of the daily collaboration
and communications that drive your business. Messaging is a business-critical application for almost every
organization. At VMware, we understand that you need a range of options for addressing security and
compliance, and that every organizations requirements are unique.
This paper describes the security measures inherent in VMware Zimbra Collaboration Server and the many
ways in which you can integrate it into enterprise security, compliance and governance solutions and practices.
It starts with the technologies and philosophies in Zimbra that shape its approach to security and compliance.
These include a commitment to open-source development, an object-based design, widespread compatibility
through industry standards and exible deployment options.
Open-Source Commitment
Zimbra is an enterprise-class, open-source messaging and collaboration platform. Zimbra Collaboration Server
is built using well-known and trusted open-source components, including the Linux le system (message store),
Jetty (Web server and Java Servlet container), MySQL (metadata), Apache Lucene (search), Postx (mail transfer
agent), OpenLDAP (conguration data) and others. Each of these technologies draws from the broad open-source
community, which imposes its own consistent level of quality assurance (QA) and scrutiny to the code.
VMware contributes code to the Open Source Software (OSS) community. Not only does this give back to the
OSS community that provides so much valueit also helps Zimbra customers by validating and enhancing the
architecture through the community. The open source commitment protects your investment in collaboration/
messaging technology and you can always revert from the commercial version to the Open Source Edition of
Zimbra Collaboration Server; although you will lose much of the rich additional functionality provided by the
Zimbra Collaboration Server, the core functionality will remain.
Flexible, Object-Based Design
A basic design precept in Zimbra is that everything (account, domain, mail folder, calendar, etc) is an object
within a hierarchy, and every object has an associated Access Control List (ACL). This design enables very
granular permissions to be dened and can be used to create a class-of-service.
A class-of-service (COS) is a Zimbra specic object that denes for example the default attributes and features
that are enabled or disabled for an email account. These attributes include default preference settings, mailbox
quotas, message lifetime, password restrictions, attachment blocking and server pools for creation of new accounts.
Each account is assigned a COS and a COS is used to group accounts and dene the feature levels for those accounts.
For example, executives can be assigned to a COS that allows the Calendar application that is disabled for all other
employees. By grouping accounts into specic type of COS, account features can be updated in block. If the COS
is not explicitly set, or if the COS assigned to the user no longer exists, values come from a pre-dened COS called
default. A COS is not restricted to a particular domain or set of domains. Delegated administrators can be setup
using COS for decentralized role based access control.
The Zimbra security model enables Zimbra to accommodate a wide range of business scenarios while keeping
the deployment simple and requiring minimal administration.
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 4
Adherence to Standards
Zimbra uses widely adopted industry standards, including:
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
Simple Mail Transfer Protocol (SMTP)
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Security Assertion Markup Language (SAML) 2.0
Federal Information Processing Standard (FIPS) 140-2
Commitment to standards enables Zimbra Collaboration Server to work with nearly any desktop or mobile
client and to operate within a wide partner ecosystem. You can either build your own integration solutions
or link Zimbra Collaboration Server to third-party security and compliance tools.
Flexible Deployment Architecture
Zimbra Collaboration Server uses a modular architecture that supports exible, secure deployments, with
client-facing components deployed separately from the back-end components.
For example, you can run the Zimbra Proxy Server and Message Transport Agent (MTA), which handle external
trafc, within the DMZ. The Lightweight Directory Access Protocol (LDAP) and Mailstore Server components can
reside within another rewall, with private, non-routable addresses between them.
By protecting the server side and ofering end-to-end encryption, Zimbra enables you to deliver secure messaging
and collaboration to end users everywhere, even on their home computers.
Figure 1.ComponentsofZimbraSystem
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 5
Tour of the Security Life Cycle
To implement defense in depth, you need layers of protection in every phase of the solution. To describe the
security layers inherent in the Zimbra solution, well follow the application-access life cycle, starting from the
users perspective with the login (authentication).
Logging In
Authenticationallowing access to the applicationis the rst step in Zimbra security. Zimbra ofers four
authentication options.
Native Zimbra Authentication
Zimbra supports authentication using its own internal directory. This is the simplest conguration. Administrators
can dene password policies with varying requirements for password length, strength and age.
Zimbra Collaboration Server 7.2 and above supports two-factor authentication using smart cards, including the
U.S. Department of Defense Common Access Cards, as a physical authentication factor. By supplementing the
password (something you know) with a smart card (something you have), multi-factor authentication reduces
the potential for unauthorized access using stolen credentials.
Figure 2.Zimbraslayereddefense,frominitialaccesstoincidentresponse
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 6
Single Sign-On (SSO)
You can use Zimbra with existing Identity Management systems including Microsoft Active Directory or other
Lightweight Directory Access Protocol (LDAP) compliant directories using Kerberos or a pre-authentication
key. This way, users have a single, secure login for authenticating to multiple enterprise services, and you can
manage access and identity from a single, central directory.
Identity Federation
Zimbra also supports SAML-based identity federation. Using this approach, a user authenticates with a SAML
identity provider. The provider and the Zimbra server exchange security certicates and identity assertions
before Zimbra grants access.
VMware Horizon Application Manager is an example of a SAML identity provider that works with Zimbra.
Zimbra supports other federated identity solutions that use the SAML 2.0 standard.
Zimbra also supports OAuth, an API-level authentication protocol popular with large consumer service providers.
Mobile Authentication
For certain mobile devices, Zimbra Collaboration Server can ensure that the device complies with mobile security
policies before allowing access. These policies might include timeouts, personal identication numbers (PINs)
and local device wipe. For example, the user must enter a PIN to unlock the device; if a precongured number
of incorrect PINs are entered, a local program wipes the content on the device.
Accessing Data
After users connect to Zimbra, authorization processes control which data they can see and which functions
they can perform. For example, most users can use their own email and calendars, and some may be able to
check someone elses calendar.
Everything in Zimbra (including accounts, domains, mail folder, contacts, calendar, tasks and briefcase folder)
is an object with attributes that can be secured with object-level permissions. Administrators can easily create
groups and assign access permissions to them to support specic business objectives.
Zimbra supports highly granular and secure authorization frameworks, using a class-of-service model. You can
dene specialized and unique classes of service that t your specic business requirements. Each class of service
controls everything from specic features within Zimbra to storage policies and access to third-party integration
solutions using the Zimlet extensibility framework.
Sharing Permissions
Zimbra ofers exible sharing permissions for shared mail folders, contacts, calendars, tasks lists and briefcase
folders. You can grant internal users or groups permission to view, edit or share folders or items. You can also grant
external users read-only or password-based access to shared objects.
For example, you might give a colleague the permission to create, accept or delete meetings for your calendarbut
not to share your calendar with other users.
Delegated, Role-Based Administration
Zimbra lets you delegate administrative tasks with highly congurable permissions. An administrators role can
be as simple as managing a distribution list or resetting forgotten passwords for a specic group of users. You
can create roles for nearly any attribute and task in Zimbra. Zimbra also provides predened roles for domain
administrators and distribution-list managers.
Sharing Data and Sending Emails
After users connect to their accounts, they will probably start sending or receiving email, scheduling meetings
or collaborating with others. These interactions can occur within the Zimbra server (with other users in the group)
or with external users, and with devices that are mobile or outside enterprise control. Zimbra ofers several strategies
for protecting the privacy of data as it moves through the application and between users and devices.
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 7
Encrypting Email Messages
In Zimbra Collaboration Server 7.2 we introduced support for S/MIME that enables encryption and decryption
of email messageseven when a Web-based email client is used. Zimbra can work with public certicate authorities
or certicates issued via an internal public-key infrastructure (PKI) deployment.
Data Privacy in Transit
VMware recommends that you use TLS, which supercedes SSL, for all communications between the Zimbra servers
and the client (whether it is a browser-based client or a mobile application). You can set this as a default value in
the Zimbra Collaboration Server administration console. Zimbra uses TLS/SSL to encrypt communications with
mobile devices using ActiveSync and Zimbra Mobile and with Zimbra Collaboration Server 7.2 and above, there
is an additional layer of security with the content being encrypted with S/MIME.
Data Privacy at Rest
Data in our message store is also encrypted with S/MIME in Zimbra Collaboration Server 7.2 and above. The data
is stored encrypted in our message store until the person with the appropriate private key opens the email.
Third-party solutions can also be used to encrypt the le system containing Zimbra data. For example, you might
use hardware-based encryption embedded in the le-system storage.
FIPS 140-2
In an environment that requires operating in a FIPS140-2 compliant mode, Zimbras cryptography libraries and
desktop clients can be confgured to operate in and enforce FIPS140-2 compliant algorithms and key strengths.
Digital Signatures
S/MIME also enables you to digitally sign messages to provide authentication and nonrepudiation for legal purposes.
When you use digital signatures, recipients know that a message came from you, not from someone spoong
your email address.
Protection from Outage or Disaster
You can protect the broader Zimbra deployment from outages or disasters, transparently to the application.
For example, you can
Use data replication to remove single points of failure from your storage environment
Use backups to provide disaster site resilience
Implementing high availability and site resiliency are simple if you are running Zimbra in
a VMware vSphere environment.
Monitoring and Tracking Access and Usage
While the user is busy sending and receiving email, scheduling appointments and collaborating with others, Zimbra
is constantly auditing and tracking all access and usage. Zimbra logs a wide range of activities, including:
User and administrator activity
Login failures
Slow queries
Mailbox activity
Mobile synchronization activity
Database errors
You can set diferent levels of logging.
The Zimbra Collaboration Server supports the syslog format and Simple Network Management Protocol (SNMP).
Log events, alerts and traps can be forwarded to log-management and event correlation systems to create centralized
policies and notications based on your security and compliance requirements.
These logs can support forensic analysis, which is useful for our next step: incident response.
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 8
Incident Response
Even with the layers of security weve dened so far, you may need to take action to respond to a problem
or mitigate risk. For example,
A users account credentials have been stolen
An executive left his or her smartphone in a taxicab
Log analysis reveals problematic activity on an administrator account
Zimbra supports incident response in several ways.
Remote Device Wiping
If a tablet or smartphone that uses Zimbra is lost or stolen, the administrator can remotely wipe the data from
the device. This mitigates the risk of someone accessing the Zimbra data remotely, and of data on the device
itself being compromised.
Account Lockout
You can congure a policy that automatically locks an account after a specic number of failed login attempts.
The administrator can also immediately disable any account at any time.
An administrator with appropriate access privileges can also view the email messages of the suspect account
to help determine if the account has been compromised.
If you are using a federated identity management solution (SAML-based SSO) with Zimbra Collaboration Serveror
integrating Zimbra Collaboration Server to implement SSO with internal directories such as Active Directoryyou
can disable access from the central directory or identity store to prevent authentication to the Zimbra account.
Integrated Security and Compliance Functions
Zimbra Collaboration Server comes with embedded antivirus, antispam and archiving capabilities to ofer
essential protection for email messaging.
Antivirus
ClamAV is an award-winning open-source antivirus software with threat denitions (for worm, virus and phishing)
updated multiple times each day. You can run ClamAV in combination with other antivirus solutions; Zimbra ofers
a plug-in framework for supporting antivirus.
Antispam
Zimbra Collaboration Server also has built-in antispam ltering on the server using the open-source SpamAssassin
and DSPAM tools. These tools support ongoing spam-lter training (i.e., teaching the lter what is spam and what
isnt), enabling organizations to optimize performance in their own environments. Users can train spam lters by
moving messages in and out of their junk folders.
Archiving and Discovery
Zimbra Archiving and Discovery is a feature of the Zimbra Collaboration Server. With this integrated solution,
you can select which users email messages to archive and set retention policies for both archive and live
mailboxes. Zimbra Archiving and Discovery ofers powerful search indexing in a simple, cost-efective platform.
You can also integrate third-party archiving solutions with Zimbra Collaboration Server.
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 9
Zimbra Security Ecosystem
You may want or need to integrate Zimbra with broader enterprise security and compliance solutions, or extend
email security and policy capabilities with third-party solutions. Zimbra integrates easily with many other solutions
and supports a wide partner ecosystem. VMware maintains the VMware Ready Mail Security program for partners
that deliver complementary solutions in areas including:
Data-loss prevention
Antivirus and antispam
Email archiving and discovery
With an open partner ecosystem, you can invest in and deploy the measures that are most appropriate for your
specic business environment.
Zimbra Collaboration Server supports two levels of integration with third-party solutions:
Gateway-level integration
Zimlet integration
You can nd a complete list of partners at http://www.vmware.com/partners/programs/vmware-ready/
mail-security.html.
Gateway-Level Integration
Through its support for SMTP protocols, Zimbra Collaboration Server ofers gateway-level integration with a wide
range of third-party solutions. For example, Zimbra Collaboration Server can be congured to send all messages
to an SMTP gateway, which can then provide email archiving, content ltering and data-loss prevention, message
policy enforcement, messaging security, spam and virus prevention, and so on.
Zimlet Integration
Tight integration with Zimbra Collaboration Server is supported by the Zimlet framework. Zimlets let users
interact with third-party applications from the Zimbra Web client.
VMware partners such as Proofpoint have used Zimlets to build tight integration between their messaging-security
solutions and Zimbra Collaboration Server. You can also build your own Zimlets to add custom functionality to
your deployment.
Zimlets (both third-party and community-developed) are available from the Zimbra Gallery (http://gallery.zimbra.com).
FAQ
This section answers a few of the more common questions about security and Zimbra.
Q Does Zimbra support digital signatures?
A Zimbra Collaboration Server 7.2 and above support digital signatures through S/MIME.
You can both send and receive digitally signed email messages.
Q Do you support certicate encryption?
A Zimbra Collaboration Server supports certicate encryption through S/MIME or through
a partner such as Proofpoint.
Q Does Zimbra provide content lters?
A Zimbra itself does not do content ltering, but our partners do.
See http://www.vmware.com/partners/programs/vmware-ready/mail-security.html.
Q Which encryption standards does Zimbra support?
A Zimbra Collaboration Server 7.2 supports S/MIME 3.2, S/MIME 3.1 and TLS/SSL.
VMware Zimbra Security
T E C H NI C AL WH I T E PAP E R / 1 0
Q How does Zimbra support two-factor authentication?
A Zimbra Collaboration Server 7.2 and above support multi-factor authentication natively using PKCS#11
compliant tokens storing X.509 certifcates, such as smartcards. Zimbra can also be confgured to use SSO
where authentication to the Identity Management system, either locally or through a secure access gateway,
requires multi-factor authentication.
Q How does Zimbra support federated identity?
A Zimbra supports identity federation using the SAML 2.0 protocol. VMware Zimbra can be used with a SAML 2.0
Identity Provider such as VMware Horizon Application Manager or Microsoft Active Directory Federation Services.
Q How do I get Zimbra to work in the FIPS 140-2 mode?
A Using Desktop Operating Systems and web browsers that support FIPS140-2 mode, confgure the client machine
to operate in FIPS mode. Zimbra will respect and enforce using FIPS140-2 compliant algorithms and key lengths.
Q Do I need Java for the S/MIME functionality?
A Yes. Zimbra uses a Java applet to access local keystores and cryptography libraries on client devices
for security, cross platform, and multi-browser compatibility.
Q Does Zimbra support SPNEGO?
A Yes. Zimbra uses SPNEGO with supporting browsers to negotiate Kerberos Authentication.
Acronyms
ACL Access Control List
ADFS Active Directory Federation Services
COS Class-of-service
FIPS Federal Information Processing Standard
LDAP Lightweight Directory Access Protocol
MBS Mailstore Server
MTA Message Transfer Agent
OSS Open source software
SAML Security Assertion Markup Language
S/MIME Secure Multipurpose Internet Mail Extensions
SMTP Simple Mail Transfer Protocol
SSL Secure Socket Layer
SSO Single sign-on
TLS Transport Layer Security
ZCS Zimbra Collaboration Server
VMware, Inc.3401HillviewAvenuePaloAltoCA94304USATel877-486-9273Fax650-427-5001www.vmware.com
Copyright2012VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslisted
athttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.intheUnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybe
trademarksoftheirrespectivecompanies.ItemNo:VMW-TWP-ZIMBRA-SECURITY-USLET-104 05/12