CSF is one of the best opensource firewalls that using in most of the hosting servers like cPanel and Directadmin . Also it is one of the best firewall for installing Zimbra Mail server . This documentation will help you to configure the CSF firewall in a Zimbra Standalone installation server.
Before starting the installation , you may need to read the documentation available on http://wiki.zimbra.com/wiki/Ports , this will help you to get a quick understanding of ports that required to open in a Zimbra server.
Install CSF :
rm -fv csf.tgz wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
Next, test whether you have the required iptables modules: perl /etc/csf/csftest.pl Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors After that open the CSF configuration and enable the following ports,
TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,7071" TCP_OUT = "22,25,53,80,110,113,443,465,587,993,995,7071"
Now you need to open the file /etc/csf/csf.pignore and add the following zimbra packages paths.
exe:/opt/zimbra/amavisd/sbin/amavisd exe:/opt/zimbra/clamav/bin/freshclam exe:/opt/zimbra/clamav/sbin/clamd exe:/opt/zimbra/cyrus-sasl/sbin/saslauthd exe:/opt/zimbra/httpd-2.4.3/bin/httpd exe:/opt/zimbra/httpd/bin/rotatelogs exe:/opt/zimbra/java/bin/java exe:/opt/zimbra/libexec/logswatch exe:/opt/zimbra/libexec/zmmailboxdmgr exe:/opt/zimbra/mysql/bin/mysqld exe:/opt/zimbra/opendkim/sbin/opendkim exe:/opt/zimbra/openldap/sbin/slapd exe:/opt/zimbra/postfix/libexec/master
This will help to white list these binaries in CSF
Now you can start the CSF as follows and test it.
# /etc/init.d/csf start
You may need to test the mail server and its functionalities . After that you can disable the testing mode in csf.conf and reload CSF. You can also perform other generic CSF tweaks after that.