qualys scan presents vulnerabilities zimbra 8.8.6_GA_1906.RHEL7_64_20171130041047

[efonseca]

Good day:

We have made a scan with the company Qualys, our zimbra server Release 8.8.6_GA_1906.RHEL7_64_20171130041047 RHEL7_64 FOSS edition, It presents vulnerabilities:

SSL Server Allows Anonymous Authentication Vulnerability port:465,25
SSL/TLS Server supports TLSv1.0 port:443,465,995
SSL/TLS Server supports TLSv1.0 port: 25,110
SSL/TLS use of weak RC4(Arcfour) cipher port: 25,465

I have applied the following commands and they always show me vulnerabilities:

1
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

2
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

3
postconf -e smtpd_tls_protocols='!TLSv1.2'

4
zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous
zmprov ms <server> zimbraMtaSmtpSaslSecurityOptions noanonymous

5
zmprov mcf zimbraMtaSmtpdTlsProtocols '!TLSv1.2'

6

This is a sample with zenmap:

465/tcp open smtps

| smtp-vuln-cve2010-4344:

|_ The SMTP server is not Exim: NOT VULNERABLE

| ssl-dh-params:

| VULNERABLE:

| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability

| State: VULNERABLE

| Transport Layer Security (TLS) services that use anonymous

| Diffie-Hellman key exchange only provide protection against passive

| eavesdropping, and are vulnerable to active man-in-the-middle attacks

| which could completely compromise the confidentiality and integrity

| of any data exchanged over the resulting session.

| Check results:

| ANONYMOUS DH GROUP 1

| Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA

| Modulus Type: Safe prime

| Modulus Source: Unknown/Custom-generated

| Modulus Length: 3072

| Generator Length: 8

| Public Key Length: 3072

| References:

|_ https://www.ietf.org/rfc/rfc2246.txt

|_sslv2-drown:

Please your comments