By: zimbra
This proof-of-concept Zimlet offers data loss prevention based on Presidio. It warns the user when sending sensitive information like credit card or social security numbers.
Production use not recommended this Zimlet is a proof-of-concept, meaning it will query Presidio via Zimbra Proxy using /analyze and /anonymize. These endpoints are not protected by any means. Meaning: authentication, CSRF and DoS protections have not been implemented.
For this Zimlet to go to production a Java extension needs to be developed, that will take care of the above and will eliminate the need for a customization of Zimbra proxy template files. The idea is for interested parties to try out the Data loss prevention Zimlet and if enough interest for it exists the extension will be developed.
This Zimlet needs to access Presidio which runs in Docker, for now it can be installed on the mailbox server only.
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
apt-cache policy docker-ce
sudo apt install docker-ce
sudo systemctl status docker
docker pull mcr.microsoft.com/presidio-analyzer
docker pull mcr.microsoft.com/presidio-anonymizer
docker run -d -p 5001:3000 mcr.microsoft.com/presidio-analyzer:latest
docker run -d -p 5002:3000 mcr.microsoft.com/presidio-anonymizer:latest
Add to /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
just before the final }
the following:
location ^~ /analyze/ {
proxy_pass http://127.0.0.1:5001/analyze;
}
location ^~ /anonymize/ {
proxy_pass http://127.0.0.1:5002/anonymize;
}
And run as the zimbra
user:
zmproxyctl restart
Please note that changes to the nginx template file will be removed when installing Zimbra patches and upgrades.
Download the latest zip file from the releases page and deploy as the zimbra
user as follows:
zmzimletctl deploy zimbra-zimlet-dlp.zip
zmmailboxdctl restart
Use curl from the command line on your Zimbra mailbox server to test if Presidio is working in Docker:
curl -d '{"text":"John Smith drivers license is AC432223", "language":"en"}' -H "Content-Type: application/json" -X POST http://127.0.0.1:5001/analyze
[{"analysis_explanation": null, "end": 10, "entity_type": "PERSON", "score": 0.85, "start": 0}, {"analysis_explanation": null, "end": 38, "entity_type": "US_DRIVER_LICENSE", "score": 0.6499999999999999, "start": 30}]
curl -X POST http://127.0.0.1:5002/anonymize -H "Content-type: application/json" --data "{\"text\": \"John Smith drivers license is AC432223\", \"analyzer_results\": [{\"start\": 30, \"end\": 38, \"score\": 0.6499999999999999, \"entity_type\": \"US_DRIVER_LICENSE\"}], \"anonymizers\": {\"DEFAULT\": { \"type\": \"replace\", \"new_value\": \"ANONYMIZED\" },\"PHONE_NUMBER\": { \"type\": \"mask\", \"masking_char\": \"*\", \"chars_to_mask\": 4, \"from_end\": true }}}"
{"text": "John Smith drivers license is ANONYMIZED", "items": [{"start": 30, "end": 40, "entity_type": "US_DRIVER_LICENSE", "text": "ANONYMIZED", "operator": "replace"}]}
If this works, you can try to access Presidio via Zimbra Proxy, using:
curl -d '{"text":"John Smith drivers license is AC432223", "language":"en"}' -H "Content-Type: application/json" -X POST https://zimbra.example.com/analyze
And....
Rating | No ratings or reviews |
Downloads | 181 |
Latest Version | 0.0.1 |
Categories | Security and Privacy |
Compatibility | ZCS 9.0.x , ZCS 10.0.x |
License | BSD 3-Clause |
Created | on 10/25/23 |
Updated | on 10/25/23 |