Enable Perfect Forward Secrecy in Zimbra 8+ ?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dar1423
Posts: 7
Joined: Sat Sep 13, 2014 3:36 am

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby dar1423 » Sun Apr 13, 2014 2:03 pm

I want to setup Zibmra correctly for 'Perfect Forward Secrecy' support.
I've read this
TLS Forward Secrecy in Postfix
this,
Zimbra & SSL ciphers hardening
and this,
Ajcody-MTA-Postfix-Topics - Zimbra :: Wiki
In the last one I read,


The other variable/options for the "Postfix SMTP Server policy - SASL mechanism properties" you will need to know about are: forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).
But, I still don't see or understand how to specifically enable it for Zimbra ZCS 8.0.6.
What postconf/zmconfig/etc commands, or other edits, do I need to make to enable it?


15337Raunaq
Advanced member
Advanced member
Posts: 157
Joined: Sat Sep 13, 2014 2:59 am

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby 15337Raunaq » Tue Apr 15, 2014 8:17 am

dar1423
Posts: 7
Joined: Sat Sep 13, 2014 3:36 am

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby dar1423 » Tue Apr 15, 2014 8:32 am

That, unfortunately, references PFS only in the use case of nginx as ReverseProxy in front of Zimbra.
My use case is *NO* nginx -- i.e., just 'standalone' Zimbra.
This, then, begs the question of how to specify ciphers/order on the non-nginx case, which I'd asked here:
https://www.zimbra.com/forums/administrators/71172-how-specify-ssl-cipher-order-zcs-non-reverse-proxy-use-case.html
danielfarrelly
Advanced member
Advanced member
Posts: 144
Joined: Fri Sep 12, 2014 10:32 pm

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby danielfarrelly » Thu Apr 17, 2014 5:45 pm

I agree this needs to be dealt with - especially considering the enormity of the whole Heartbleed fiasco. Zimbra engineers might want to be really careful how they propose to "fix" PFS on the Zimbra platform. Stating it's a feature request for an upcoming version of Zimbra is not enough. Might I recommend upping the key size to 4096, requiring 256-bit sig all the way to the CA root cert, make all default cipher suites 256-bit variants using TLS v1.2? If you need to something less, it's up to you to reconfigure - or contact Zimbra support on how to type:
zmprov mcf -zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (which, btw... don't do)
I would think Zimbra as a company would see recent news of flaws in OpenSSL as an opportunity to reach out to its customers and provide a means of making sure their setup is secure - and be able to prove it.
dar1423
Posts: 7
Joined: Sat Sep 13, 2014 3:36 am

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby dar1423 » Thu Apr 17, 2014 5:53 pm

User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby quanah » Thu Apr 17, 2014 6:13 pm

You can already do PFS with Zimbra as long as you have nginx installed, which is the recommended way to install already.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
danielfarrelly
Advanced member
Advanced member
Posts: 144
Joined: Fri Sep 12, 2014 10:32 pm

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby danielfarrelly » Thu Apr 17, 2014 6:39 pm

of course you can. just as you can use a weak cipher to connect - unless you tell it not to. perhaps i was misunderstood, but a great majority of us already know how to make our zimbra installs more secure. i was making a suggestion on how you might want to better distribute information to your users.
dar1423 was looking for support on how to utilize PFS. he was told to check out bugzilla. i threw in my two cents thinking you might help him, and you respond with the above. seriously?
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby quanah » Thu Apr 17, 2014 6:43 pm

yes, seriously. I took an hour yesterday writing up and documenting how to add nginx to his configuration so he can enable PFS. That's the solution until support for it can be added to Jetty. In any case, it is always advised to install proxy now.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
dar1423
Posts: 7
Joined: Sat Sep 13, 2014 3:36 am

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby dar1423 » Thu Apr 17, 2014 6:44 pm

um, know your facts
quanah & I had chatted in #irc. he suggested to ME to file the bug ...
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Enable Perfect Forward Secrecy in Zimbra 8+ ?

Postby quanah » Thu Apr 17, 2014 6:46 pm

Yes, there is that too. ;)
I.e., if you want PFS now, you have to install nginx, period. If you don't want to use nginx, you'll have to wait until the bug I had dar1423 file is completed.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/

Return to “Administrators”

Who is online

Users browsing this forum: tonyg and 16 guests