How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi guys,
I am writing the next Wiki article about how to obtain the best score in the Qualys SSL Labs Security Test using the different Zimbra Collaboration Releases:

https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

Is a Community Contribution Wiki, that you can edit if you have a Wiki account. If you have some expertise, or tweaks, or extra input, please add it to the Wiki, or let the feedback here. Could be great to have the best result in that test using Zimbra Collaboration, in their different Releases.
I'm waiting to hear from you.
Best regards!
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by Fabio S. Schmidt »

Hi Jorge,

Congratulation for another great initiative !
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by Fabio S. Schmidt »

Hi Jorge,



What are the recommendations to fix the Logjam issue in the IMAP, POP and SMTP services? I mean, for the 8.6 version.



Zimbra 8.0.9 is already Poodle free, isn't?



Thank you !
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi Fabio, I'm testing the Logjam in my lab, I will come later, and update the Wiki.



Zimba 8.0.9 should come with the Poodle fix, but the truth is that I've downloaded from the Website, and do a vanilla install 3 times, and always I had the Poodle issue, so following the steps in the Security Wiki fix it.



Is really strange as I thought also that 8.0.9 came with poodle fixed.
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by Fabio S. Schmidt »

Hi Jorge,



Thanks for the Feedback, if there is anything that I could do to help in this tests just let me know.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi Fabio,
Following the steps in this Wiki, I obtain A+ with Proxy, or A without Proxy, in Zimbra Collaboration 8.6:

https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

Then If I try the next test https://tools.keycdn.com/logjam in the different ports:

993
995
465

I obtain in all of them that we are free of Logjam:

I've just updated yesterday with the procedure to protect a Zimbra Collaboration 8.6 without Proxy, not recommended.
Best regards!
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by Fabio S. Schmidt »

Hi Jorge,



Thank you very much for the effort and congratulations for the work, you make all the difference to the Zimbra community.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi Fabio,
Thank you so much for your words, I've updated the Wiki and now we have:

Zimbra Collaboration 8.6 with Proxy - A+
Zimbra Collaboration 8.6 without Proxy - A
Zimbra Collaboration 8.0.9 with Proxy - A
Zimbra Collaboration 8.0.9 without Proxy - A

In 8.0.9 I have the next in the SSL Labs scan that is the reason to not obtain the A+ I think:
Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more info)
If you have any help that I can test to improve this results, let me know. But for now you can find a good results in the Wiki.
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi guys,
The steps for Zimbra Collaboration 8.7 are also included, just a few commands and Zimbra Collaboration 8.7 is fully secure :)

https://wiki.zimbra.com/wiki/How_to_obt ... ration_8.7

Waiting for your feedback.
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by Fabio S. Schmidt »

Hi,



Is there any way for the community to test Zimbra 8.7?
Post Reply