I have read : CentOS vs. Ubuntu
Yet I am still left wondering.
We want to run Zimbra for a mail server and we are familiar with CentOS. Is there any advantage to running Ubuntu 10.04 LTS Server over CentOS 5.5 for our Zimbra server?
My biggest concern, is CentOS 5.5 a bigger security risk vs Ubuntu 10.04? Or am I in the same boat regardless?
I'm going to say it depends on configuration more so than distribution, and if you're more comfortable with CentOS than Ubuntu, stick with what you know and spend more time on securing your environment than adjusting to the nuances of a different distro.
There are some key differences, namely Ubuntu + AppArmor vs. CentOS + SELinux. I've not used SELinux, so I can't comment on it, but I've heard that it's trickier to implement properly than AppArmor. Perhaps someone else with more experience can chime in here.
Two things.
If you're planning on running Zimbra Network Edition they currently do not support CentOS. Although it's by far the most voted for request from the users. If you're using the community edition then this may not be as important. That said I've been running Zimbra Network Edition on CentOS for over two years and haven't run into any issues. I also haven't been in a position where I've needed to open a support ticket with Zimbra.
Back to the original question about security. Zimbra installs it's whole stack so all the public facing services are going to be part of that stack which is maintained by Zimbra and not your distribution. So the only time the distro really comes into play is with remote exploitable Kernel issues. Which both distributions deal with pretty quickly.
My experience with this is Centos is very stable, but I find Debian and Ubuntu are easier to update. The ability to quickly and easily run updates such as security patches for my software gives me peace of mind.
As a real world example, I had to setup a VPS to pass a PCI-DSS compliance scan. Using Ubuntu Karmic Koala with pin-holing for Aptitude packages, I setup the whole server and passed a few hours. By comparison, installing single PHP packages for Centos 5 when there is no yum packages available - and I had to compile my software and a lot of dependencies - has taken roughly the same amount of time for less work. This is the real difference for me.
I have had a server running Centos 4 and Cpanel compromised through brute force attacks. As gravyface has suggested though, this was probably more a configuration thing, and if you're prepared to spend a bit more time setting up Centos 5 then it is probably fine.
Zimbra is still in Beta for Ubuntu 10.04 support in its latest (6.0.8) release. Assuming the RHEL version runs fine on CentOS (though I can't speak to this, as we run Zimbra on Ubuntu 8.04 at the moment), you may want to consider this as you decide.
It's as secure as you want it to be. It doesn't matter which distro you run, if you allow root access via SSH with a crappy password, the distro can't help you. Patch the box routinely and follow basic security guidelines and you'll be fine.