Already used this to get TLSv1 disabled for the most protocols with:
zmprov gcf zimbraMailboxdSSLProtocols
zmprov mcf -zimbraMailboxdSSLProtocols TLSv1
zmprov gcf zimbraReverseProxySSLProtocols
zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
So I have TLSv1 disabled, but my monitoring software finds a weakness in submission port 465, which still accepts TLSv1.
I am trying to harden the security by also disabling TLSv1 for port 465. I even tried disabling (succesfully) 465 but then the webmail and external smtp seems to have a problem, which is funny as I do not use NAT on port 465 anyway…
Changes in the main.cf of /opt/zimbra/common/ will not work as any restart will rewrite this main.cf
So I tried to find the master template, but it looks like it is just a setting which should be altered with zmprov.
These variables contain (I think) just what I need to change:
zimbraMtaSmtpdTlsMandatoryProtocols
zimbraMtaSmtpdTlsProtocols
Currently they are set with "!SSLv2, !SSLv3" and I like to add ", !TLSv1"
I cannot find any workable way with zmprov to add this, I can get the current values using:
zmprov gcf zimbraMtaSmtpdTlsMandatoryProtocols
zmprov gcf zimbraMtaSmtpdTlsProtocols
But setting it seems to fail. Tried numerous things like zmprov mcf +/- zimbraMtaSmtpdTls…. TLSv1 or !TLSv1
It throws an error:"bash: !TLSv1: event not found"
Anyone knows how to set these values to !SSLv2, !SSLv3, !TLSv1 ?
How to get rid of TLSv1
Re: How to get rid of TLSv1
Port 465 is not the correct Submission port, it was deprecated a long time ago and the correct one to use is Port 587.e-d-i-t wrote:So I have TLSv1 disabled, but my monitoring software finds a weakness in submission port 465, which still accepts TLSv1.
Re: How to get rid of TLSv1
Well, after installing 8.8 and now on 8.8.8 it is still active…
For all I can read, this should be gone by upgrading?...
I see a lot of documents where I cannot figure out if it is old or recent...
587 is also active although I don't see it mentioned in the master.cf
I do see:
465 inet n - n - - smtpd
But deactivating it, will give problems.
For all I can read, this should be gone by upgrading?...
I see a lot of documents where I cannot figure out if it is old or recent...
587 is also active although I don't see it mentioned in the master.cf
I do see:
465 inet n - n - - smtpd
But deactivating it, will give problems.
Re: How to get rid of TLSv1
When you say: [quote="e-d-i-t"but my monitoring software[/quote] do you mean something on a LAN or an external scanner? Did you restart the proxy after modifying the settings and does the https://www.ssllabs.com/ssltest/ scan give you a clean bill of health?
Re: How to get rid of TLSv1
Always a restart services or even entire server is done with these changes.
External won't give me results (I have no access on 465 by firewall policy)
So it is not really an important thing right now, but I would like to kill port 465 anyway internally.
External won't give me results (I have no access on 465 by firewall policy)
So it is not really an important thing right now, but I would like to kill port 465 anyway internally.