Mozilla Obervatory vs. Zimbra — security problems revealed

[ExTechOp]

The Mozilla Observatory gives our Zimbra installation a C rating, mainly because of missing security headers. Can we expect to have these security problems (some fairly important, some not so, but all should be easy to implement) corrected in the next Zimbra release?

• Content Security Policy -25 Content Security Policy (CSP) header not implemented
• Cookies -5 Cookies set without using the Secure flag, but transmission over HTTP prevented by HSTS
• X-Content-Type-Options -5 X-Content-Type-Options header not implemented
• X-XSS-Protection -10 X-XSS-Protection header not implemented

• Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
• Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
• X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
• X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".

[phoenix]

The Mozilla Observatory gives our Zimbra installation a C rating, mainly because of missing security headers. Can we expect to have these security problems (some fairly important, some not so, but all should be easy to implement) corrected in the next Zimbra release?

You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?

These are only Community forums not official Zimbra Support, if you want to report a problem of any sort within ZCS you should file a report in bugzilla or if you're an NE customer the raise a support case.

[ExTechOp]

You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?

Pardon me, I was aiming at "General Questions" and hit Zimbra Desktop

[phoenix]

You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?

Pardon me, I was aiming at "General Questions" and hit Zimbra Desktop

That's OK but don't post duplicates, I'll move this to the correct forum and remove the other post. As I mentioned earlier, bugzilla or if you're a customer then Zimbra support would be the best place to post your concerns, these are only Community Support forums not official Zimbra Support.

[ExTechOp]

Pardon me, I was aiming at "General Questions" and hit Zimbra Desktop

Feel free to delete this chain, I've re-asked this question in the appropriate forum.

[jorgedlcruz]

Which Zimbra Collaboration version are you using?

Best regards

[ExTechOp]

Which Zimbra Collaboration version are you using?

The web client gives me version Zimbra 8.7.0_GA_1659 (build 20160628192634)

I could insert here a snide remark that there isn't much collaboration left once Zimbra Talk was made into a separate service, but I won't

[ExTechOp]

Which Zimbra Collaboration version are you using?

The web client gives me version Zimbra 8.7.0_GA_1659 (build 20160628192634)

We've since upgraded to Zimbra 8.7.3_GA_1750 (build 20170215042321).

Any word on this?

[ExTechOp]

We've since upgraded to Zimbra 8.7.3_GA_1750 (build 20170215042321).

Currently, we get a security rating of B (70/100) from Observatory by tweaking the ciphers and adding the following extra response headers:

Code: Select all

$ zmprov gcf zimbraResponseHeader
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: X-Content-Type-Options: nosniff

Will try to keep you posted on what else we add. It'd be nice for Zimbra to deliver all this ready-made

[ExTechOp]

Currently, we get a security rating of B (70/100) from Observatory by tweaking the ciphers and adding the following extra response headers:

Code: Select all

$ zmprov gcf zimbraResponseHeader
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: X-Content-Type-Options: nosniff

Will try to keep you posted on what else we add. It'd be nice for Zimbra to deliver all this ready-made

Here's what we did with tls and ciphers to get a good rating with the SSL-based tests but still keep older Androids and Apple products working:

Code: Select all

$ zmprov gcf zimbraMtaSmtpdTlsProtocols
zimbraMtaSmtpdTlsProtocols: !SSLv2
$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: SSL_FORTEZZA_KEA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: SSL_DH_anon_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: TLS_DH_anon_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_DSS_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDH_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDH_anon_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA
$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!MEDIUM:!LOW:!DES:!MD5:!PSK:!RC4