Hide Zimbra Version in IMAP header

[drusilla.brunton]

Hello,

zimbra version is searchable on Shodan. For Example:

https://www.shodan.io/search?query=8.8.6_GA_1906
https://www.shodan.io/search?query=8.0.9_GA_6191

For "8.8.6_GA_1906" you will get an IMAP-Header like this:

Code: Select all

* OK IMAP4rev1 proxy server ready
* CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE IMAP4rev1 LIST-EXTENDED LIST-STATUS LITERAL+ MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST STARTTLS LOGINDISABLED
A001 OK completed
* ID ("NAME" "Zimbra" "VERSION" "8.8.6_GA_1906" "RELEASE" "20171130041047")
A002 OK completed
A003 BAD invalid command
A004 OK completed

For security reason... is there a way to disable the ID-Message or replace it with some general texts?

[msquadrat]

You can find the correct attributes by filtering the output at https://files.zimbra.com/docs/config-guide/index.html for ExposeVersion.

It is still pretty trivial to determine the ZCS version by other means like the copyright notice and the cache buster id (the value after the v=…) query string you can see when loading assets).

[drusilla.brunton]

Great. Thanks for fast replay.

Now I feel saftier

[msquadrat]

Just for fun, here are two useful oneliners I use every now and then (replace mail.zimbra.com with the server you're interested in):

Code: Select all

# IMAPS
(sleep 1 && echo 'show id ("name" "test")' && sleep 1) | openssl s_client -connect mail.zimbra.com:993 2>/dev/null | grep VERSION
# IMAP using STARTTLS
(sleep 1 && echo 'show id ("name" "test")' && sleep 1) | openssl s_client -connect mail.zimbra.com:143 -starttls imap 2>/dev/null | grep VERSION

[drusilla.brunton]

With following settings and the 'onliners' zimbra will continue exposing its version...

Code: Select all

[zimbra@mail ~]$ zmprov gs `hostname` | grep ExposeVersion
zimbraImapExposeVersionOnBanner: FALSE
zimbraLmtpExposeVersionOnBanner: FALSE
zimbraPop3ExposeVersionOnBanner: FALSE
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
zimbraReverseProxyPop3ExposeVersionOnBanner: FALSE
zimbraSoapExposeVersion: FALSE

[zimbra@mail ~]$ zmprov gcf zimbraReverseProxyImapExposeVersionOnBanner
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
[zimbra@mail ~]$ zmprov gcf zimbraImapExposeVersionOnBanner
zimbraImapExposeVersionOnBanner: FALSE

I'll have to say I do not change any attributes. These are all default values.

The ID Field may not corresponds with the Banner-Settings?

[msquadrat]

Ok, I must admit that I never really touched these attributes, just stumbled upon them at some point :-) Looks like they were added but the code doesn't work.

[shrf]

Hello

All the attributes are false as you can see below

zimbraImapExposeVersionOnBanner: FALSE
zimbraLmtpExposeVersionOnBanner: FALSE
zimbraPop3ExposeVersionOnBanner: FALSE
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
zimbraReverseProxyPop3ExposeVersionOnBanner: FALSE
zimbraSoapExposeVersion: FALSE

however when I tried below on my Zimbra and I can see the version :

$ (sleep 1 && echo 'show id ("name" "test")' && sleep 1) | openssl s_client -connect my-domain.com:993 2>/dev/null | grep VERSION
* ID ("NAME" "Zimbra" "VERSION" "8.8.11_GA_3780" "RELEASE" "20190221131941")

How can I hide this ?

Thanks