Disabling SMTP-SSL/465 SSLv3 on Zimbra 8.6.0

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
kbulgrien
Posts: 7
Joined: Mon Nov 05, 2018 6:51 pm

Disabling SMTP-SSL/465 SSLv3 on Zimbra 8.6.0

Postby kbulgrien » Thu Nov 08, 2018 11:43 pm

While considering an upgrade from Zimbra 8.6.0 P12 to 8.7 or later, it came to light that even though we thought that SSLv3 was already disabled on this server, that it is not fully disabled despite Zimbra configuration that seems as though it should be.

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.0/Upgrade#Disable_SSLv3_Support

The configuration at the time did attempt to disable SSLv3, but apparently this was insufficient to fully accomplish it.

Code: Select all

$ zmprov gacf | grep -i SSLv3
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3


In particular, it was noted that the test at the bottom of https://wiki.zimbra.com/wiki/How_to_disable_SSLv3#Testing_SMTP-SSL showed that SMTP-SSL on port 465 was still active

https://www.htbridge.com/ssl/ confirmed that indeed the server was using SSLv3.

https://wiki.zimbra.com/wiki/Security/Collab/86#MTA alerted me to the fact that Zimbra 8.6.0 does not disable SSLv3 completely due to a bug (https://bugzilla.zimbra.com/show_bug.cgi?id=97186).

Though both the aforementioned documents alluded to Postfix parameters that needed to change to disable SSLv3, details were sparse. I eventually found a StackOverflow answer that explain more clearly (https://serverfault.com/a/670347/101931).

I was able to disable SSLv3 more completely by editing /opt/zimbra/postfix/conf/main.cf and by appending:

Code: Select all

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3


The manual changes seemed to persist after a server restart:

Code: Select all

$ zmmtactl restart
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system


They also seemed to persist following zmcontrol restart.

Code: Select all

$ tail -3 ~/postfix/conf/main.cf
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3


It seems that this works as the htbridge test report shows a change for the better, and the manual edit of main.cf seems to persist through rewrites by Zimbra configuration tools.

Is a better or more appropriate way to have accomplished this change in 8.6.0?


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests