Page 1 of 1
Hide Zimbra Version in IMAP header
Posted: Fri Mar 02, 2018 10:33 am
by drusilla.brunton
Hello,
zimbra version is searchable on Shodan. For Example:
https://www.shodan.io/search?query=8.8.6_GA_1906
https://www.shodan.io/search?query=8.0.9_GA_6191
For "8.8.6_GA_1906" you will get an IMAP-Header like this:
Code: Select all
* OK IMAP4rev1 proxy server ready
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+ MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST STARTTLS LOGINDISABLED
A001 OK completed
* ID ("NAME" "Zimbra" "VERSION" "8.8.6_GA_1906" "RELEASE" "20171130041047")
A002 OK completed
A003 BAD invalid command
A004 OK completed
For security reason... is there a way to disable the ID-Message or replace it with some general texts?
Re: Hide Zimbra Version in IMAP header
Posted: Fri Mar 02, 2018 10:44 am
by msquadrat
You can find the correct attributes by filtering the output at
https://files.zimbra.com/docs/config-guide/index.html for ExposeVersion.
It is still pretty trivial to determine the ZCS version by other means like the copyright notice and the cache buster id (the value after the v=…) query string you can see when loading assets).
Re: Hide Zimbra Version in IMAP header
Posted: Fri Mar 02, 2018 11:00 am
by drusilla.brunton
Great. Thanks for fast replay.
Now I feel saftier
Re: Hide Zimbra Version in IMAP header
Posted: Fri Mar 02, 2018 11:11 am
by msquadrat
Just for fun, here are two useful oneliners I use every now and then (replace mail.zimbra.com with the server you're interested in):
Code: Select all
# IMAPS
(sleep 1 && echo 'show id ("name" "test")' && sleep 1) | openssl s_client -connect mail.zimbra.com:993 2>/dev/null | grep VERSION
# IMAP using STARTTLS
(sleep 1 && echo 'show id ("name" "test")' && sleep 1) | openssl s_client -connect mail.zimbra.com:143 -starttls imap 2>/dev/null | grep VERSION
Re: Hide Zimbra Version in IMAP header
Posted: Fri Mar 02, 2018 11:39 am
by drusilla.brunton
With following settings and the 'onliners' zimbra will continue exposing its version...
Code: Select all
[zimbra@mail ~]$ zmprov gs `hostname` | grep ExposeVersion
zimbraImapExposeVersionOnBanner: FALSE
zimbraLmtpExposeVersionOnBanner: FALSE
zimbraPop3ExposeVersionOnBanner: FALSE
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
zimbraReverseProxyPop3ExposeVersionOnBanner: FALSE
zimbraSoapExposeVersion: FALSE
[zimbra@mail ~]$ zmprov gcf zimbraReverseProxyImapExposeVersionOnBanner
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
[zimbra@mail ~]$ zmprov gcf zimbraImapExposeVersionOnBanner
zimbraImapExposeVersionOnBanner: FALSE
I'll have to say I do not change any attributes. These are all default values.
The ID Field may not corresponds with the Banner-Settings?
Re: Hide Zimbra Version in IMAP header
Posted: Fri Mar 02, 2018 10:54 pm
by msquadrat
Ok, I must admit that I never really touched these attributes, just stumbled upon them at some point :-) Looks like they were added but the code doesn't work.
Re: Hide Zimbra Version in IMAP header
Posted: Tue Dec 03, 2019 2:12 pm
by shrf
Hello
All the attributes are false as you can see below
zimbraImapExposeVersionOnBanner: FALSE
zimbraLmtpExposeVersionOnBanner: FALSE
zimbraPop3ExposeVersionOnBanner: FALSE
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
zimbraReverseProxyPop3ExposeVersionOnBanner: FALSE
zimbraSoapExposeVersion: FALSE
however when I tried below on my Zimbra and I can see the version :
$ (sleep 1 && echo 'show id ("name" "test")' && sleep 1) | openssl s_client -connect my-domain.com:993 2>/dev/null | grep VERSION
* ID ("NAME" "Zimbra" "VERSION" "8.8.11_GA_3780" "RELEASE" "20190221131941")
How can I hide this ?
Thanks
