I have a CentOS 5.7 server with Zimbra installed and all was working fine.
I just secured SSH by:
- changing to another port
- denying root login
- enabling
StrictModes
- changed
AllowUsers
to only 1 user (not zimbra) - disabling
RSAAuthentication
- enabling
PubkeyAuthentication
- disabling
PasswordAuthentication
- disabling
ChallengeResponseAuthentication
The above works for SSH'ing to the server as the allowed user and su'ing to root / sudoing.
However when I login to my webmail I cannot send / receive any messages anymore. Eeek!
By doing some searches on the web it looks like Zimbra uses ssh internally to talk to other Zimbra modules.
Anybody knows how to fix this?
Best Answer
I can't really test this because I don't have a test setup of Zimbra to work with, but I'd suspect adding the
zimbra
user to AllowUsers and setting the ssh port back to 22 should be sufficient.If you're nervous about exposing ssh on a standard port, it should be possible to configure
sshd
to listen on your alternative port as well as port 22, and useiptables
to limit access to port 22 to the local IP address only. (Personally, I prefer to leave ssh on its standard port and limiting the source IP addresses, but this may not be practical if you don't have a fixed source IP address.)If you're nervous about exposing the
zimbra
user to the world, you might want to look intopam_access
to limit what IP addresses thezimbra
user may SSH from.That said, I have a feeling that, according to the symtoms you listed, there's more going on with your server than just broken SSH access. Zimbra does not require ssh to itself for routine stuff like sending e-mail, but rather mainly for administrative purposes. You probably want to check logs in
/var/log
and/opt/zimbra/log
.