https://wiki.zimbra.com/wiki/Zimbra_Rel ... v3_Support
The configuration at the time did attempt to disable SSLv3, but apparently this was insufficient to fully accomplish it.
Code: Select all
$ zmprov gacf | grep -i SSLv3
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3
https://www.htbridge.com/ssl/ confirmed that indeed the server was using SSLv3.
https://wiki.zimbra.com/wiki/Security/Collab/86#MTA alerted me to the fact that Zimbra 8.6.0 does not disable SSLv3 completely due to a bug (https://bugzilla.zimbra.com/show_bug.cgi?id=97186).
Though both the aforementioned documents alluded to Postfix parameters that needed to change to disable SSLv3, details were sparse. I eventually found a StackOverflow answer that explain more clearly (https://serverfault.com/a/670347/101931).
I was able to disable SSLv3 more completely by editing /opt/zimbra/postfix/conf/main.cf and by appending:
Code: Select all
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
Code: Select all
$ zmmtactl restart
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system
Code: Select all
$ tail -3 ~/postfix/conf/main.cf
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
Is a better or more appropriate way to have accomplished this change in 8.6.0?