Disabling SMTP-SSL/465 SSLv3 on Zimbra 8.6.0

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
kbulgrien
Posts: 10
Joined: Mon Nov 05, 2018 6:51 pm

Disabling SMTP-SSL/465 SSLv3 on Zimbra 8.6.0

Post by kbulgrien »

While considering an upgrade from Zimbra 8.6.0 P12 to 8.7 or later, it came to light that even though we thought that SSLv3 was already disabled on this server, that it is not fully disabled despite Zimbra configuration that seems as though it should be.

https://wiki.zimbra.com/wiki/Zimbra_Rel ... v3_Support

The configuration at the time did attempt to disable SSLv3, but apparently this was insufficient to fully accomplish it.

Code: Select all

$ zmprov gacf | grep -i SSLv3
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3
In particular, it was noted that the test at the bottom of https://wiki.zimbra.com/wiki/How_to_dis ... g_SMTP-SSL showed that SMTP-SSL on port 465 was still active

https://www.htbridge.com/ssl/ confirmed that indeed the server was using SSLv3.

https://wiki.zimbra.com/wiki/Security/Collab/86#MTA alerted me to the fact that Zimbra 8.6.0 does not disable SSLv3 completely due to a bug (https://bugzilla.zimbra.com/show_bug.cgi?id=97186).

Though both the aforementioned documents alluded to Postfix parameters that needed to change to disable SSLv3, details were sparse. I eventually found a StackOverflow answer that explain more clearly (https://serverfault.com/a/670347/101931).

I was able to disable SSLv3 more completely by editing /opt/zimbra/postfix/conf/main.cf and by appending:

Code: Select all

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
The manual changes seemed to persist after a server restart:

Code: Select all

$ zmmtactl restart
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system
They also seemed to persist following zmcontrol restart.

Code: Select all

$ tail -3 ~/postfix/conf/main.cf
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
It seems that this works as the htbridge test report shows a change for the better, and the manual edit of main.cf seems to persist through rewrites by Zimbra configuration tools.

Is a better or more appropriate way to have accomplished this change in 8.6.0?
Top
Post Reply

Return to “Administrators”