Zimbra Forums

I want to setup Zibmra correctly for 'Perfect Forward Secrecy' support.
I've read this
TLS Forward Secrecy in Postfix
this,
Zimbra & SSL ciphers hardening
and this,
Ajcody-MTA-Postfix-Topics - Zimbra :: Wiki
In the last one I read,


The other variable/options for the "Postfix SMTP Server policy - SASL mechanism properties" you will need to know about are: forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).
But, I still don't see or understand how to specifically enable it for Zimbra ZCS 8.0.6.
What postconf/zmconfig/etc commands, or other edits, do I need to make to enable it?

You may be looking for this
https://bugzilla.zimbra.com/show_bug.cgi?id=85224

That, unfortunately, references PFS only in the use case of nginx as ReverseProxy in front of Zimbra.
My use case is *NO* nginx -- i.e., just 'standalone' Zimbra.
This, then, begs the question of how to specify ciphers/order on the non-nginx case, which I'd asked here:
https://www.zimbra.com/forums/administr ... -case.html

I agree this needs to be dealt with - especially considering the enormity of the whole Heartbleed fiasco. Zimbra engineers might want to be really careful how they propose to "fix" PFS on the Zimbra platform. Stating it's a feature request for an upcoming version of Zimbra is not enough. Might I recommend upping the key size to 4096, requiring 256-bit sig all the way to the CA root cert, make all default cipher suites 256-bit variants using TLS v1.2? If you need to something less, it's up to you to reconfigure - or contact Zimbra support on how to type:
zmprov mcf -zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (which, btw... don't do)
I would think Zimbra as a company would see recent news of flaws in OpenSSL as an opportunity to reach out to its customers and provide a means of making sure their setup is secure - and be able to prove it.

feel free to join in @ BUG:
https://bugzilla.zimbra.com/show_bug.cgi?id=89054

You can already do PFS with Zimbra as long as you have nginx installed, which is the recommended way to install already.

of course you can. just as you can use a weak cipher to connect - unless you tell it not to. perhaps i was misunderstood, but a great majority of us already know how to make our zimbra installs more secure. i was making a suggestion on how you might want to better distribute information to your users.
dar1423 was looking for support on how to utilize PFS. he was told to check out bugzilla. i threw in my two cents thinking you might help him, and you respond with the above. seriously?

yes, seriously. I took an hour yesterday writing up and documenting how to add nginx to his configuration so he can enable PFS. That's the solution until support for it can be added to Jetty. In any case, it is always advised to install proxy now.

um, know your facts
quanah & I had chatted in #irc. he suggested to ME to file the bug ...

Yes, there is that too.
I.e., if you want PFS now, you have to install nginx, period. If you don't want to use nginx, you'll have to wait until the bug I had dar1423 file is completed.